initial commit

.gitignore

@@ -0,0 +1,2 @@
+/.vscode
+/tgp

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2023 Heorhi Valakhanovich
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

go.mod

@@ -0,0 +1,7 @@
+module tgp
+
+go 1.19
+
+require (
+	github.com/BurntSushi/toml v1.2.1
+)

go.sum

@@ -0,0 +1,5 @@
+github.com/BurntSushi/toml v1.2.1 h1:9F2/+DoOYIOksmaJFPw1tGFy1eDnIJXg+UHjuD8lTak=
+github.com/BurntSushi/toml v1.2.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

main.go

@@ -0,0 +1,77 @@
+package main
+
+import (
+	"fmt"
+	"net"
+
+	"github.com/BurntSushi/toml"
+)
+
+var defaultConfig = `
+listen_url = "0.0.0.0:6666"
+secret = "dd000102030405060708090a0b0c0d0e0f"
+#secret = "00000000000000000000000000000000"
+`
+
+type Config struct {
+	Listen_Url string
+	Secret     string
+}
+
+func handleConnection(conn net.Conn, secret *Secret) {
+	// var initialPacket [initialHeaderSize]byte
+	// _, err := io.ReadFull(conn, initialPacket[:])
+	// if err != nil {
+	// 	conn.Close()
+	// 	return
+	// }
+	// // dump header
+	// println("header: " + hex.EncodeToString(initialPacket[:]))
+	// c, err := obfuscatedCryptoFromHeader(initialPacket, secret)
+	// if err != nil {
+	// 	println(err.Error())
+	// 	conn.Close()
+	// 	return
+	// }
+	// if true {
+	// 	buf := make([]byte, 4)
+	// 	err = c.ReadExact(buf, conn)
+
+	// 	if err != nil {
+	// 		println(err.Error())
+	// 		conn.Close()
+	// 		return
+	// 	}
+	// 	fmt.Printf("first packet bytes: %x %x %x %x\n", buf[0], buf[1], buf[2], buf[3])
+	// }
+	obfuscatedRoutine, err := obfuscatedRouterFromStream(conn, secret)
+	if err != nil {
+		println(err.Error())
+		return
+	}
+	obfuscatedRoutine.Wait()
+}
+
+func main() {
+	c := &Config{}
+	_, err := toml.Decode(defaultConfig, &c)
+	if err != nil {
+		panic(err)
+	}
+	fmt.Printf("listen: %s, secret: %s\n", c.Listen_Url, c.Secret)
+	secret, err := NewSecretHex(c.Secret)
+	if err != nil {
+		panic(err)
+	}
+	listener, err := net.Listen("tcp", c.Listen_Url)
+	if err != nil {
+		panic(err)
+	}
+	for {
+		conn, err := listener.Accept()
+		if err != nil {
+			return
+		}
+		go handleConnection(conn, secret)
+	}
+}

obfuscated.go

@@ -0,0 +1,147 @@
+package main
+
+import (
+	"encoding/hex"
+	"fmt"
+	"io"
+	"net"
+)
+
+const dc_port = "443"
+
+var dc_ip4 = [...]string{
+	"149.154.175.50",
+	"149.154.167.51",
+	"149.154.175.100",
+	"149.154.167.91",
+	"149.154.171.5",
+}
+
+var dc_ip6 = [...]string{
+	"2001:b28:f23d:f001::a",
+	"2001:67c:04e8:f002::a",
+	"2001:b28:f23d:f003::a",
+	"2001:67c:04e8:f004::a",
+	"2001:b28:f23f:f005::a",
+}
+
+const initialHeaderSize = 64
+
+const (
+	abridged     = 0xef
+	intermediate = 0xee //0xeeeeeeee
+	padded       = 0xdd //0xdddddddd
+	full         = 0
+)
+
+type obfuscatedRouter struct {
+	cryptClient       *obfuscatedClientCtx
+	cryptDc           *dcCtx
+	stream            io.ReadWriteCloser
+	readerJoinChannel chan error
+	writerJoinChannel chan error
+}
+
+func obfuscatedRouterFromStream(stream io.ReadWriteCloser, secret *Secret) (r *obfuscatedRouter, err error) {
+	var initialPacket [initialHeaderSize]byte
+	_, err = io.ReadFull(stream, initialPacket[:])
+	if err != nil {
+		return nil, err
+	}
+	cryptClient, err := obfuscatedClientCtxFromHeader(initialPacket, secret)
+	if err != nil {
+		return nil, err
+	}
+	// basic afterchecks
+	switch cryptClient.protocol {
+	case abridged, intermediate, padded:
+		break
+	default:
+		return nil, fmt.Errorf("invalid protocol %d", cryptClient.protocol)
+	}
+	if int(cryptClient.dc) > len(dc_ip4) || int(cryptClient.dc) < -len(dc_ip4) {
+		return nil, fmt.Errorf("invalid dc %d", cryptClient.dc)
+	}
+	//connect to dc
+	dcConnection, err := connectDC(int(cryptClient.dc))
+	if err != nil {
+		return nil, err
+	}
+	cryptDc, err := dcCtxFromClient(int(cryptClient.dc), cryptClient.protocol)
+	if err != nil {
+		return nil, err
+	}
+	readerJoinChannel := make(chan error, 1)
+	go func() {
+		_, err = dcConnection.Write(cryptDc.nonce[:])
+		if err != nil {
+			readerJoinChannel <- err
+			return
+		}
+		buf := make([]byte, 2048)
+		for {
+			size, err := stream.Read(buf)
+			if err != nil {
+				fmt.Printf("reader broken, size: %d\n", size)
+				readerJoinChannel <- err
+				return
+			}
+			cryptClient.decryptNext(buf[:size])
+			fmt.Printf("cl dec: %s\n", hex.EncodeToString(buf[:size]))
+			cryptDc.encryptNext(buf[:size])
+			_, err = dcConnection.Write(buf[:size])
+			if err != nil {
+				readerJoinChannel <- err
+				return
+			}
+		}
+	}()
+	writerJoinChannel := make(chan error, 1)
+	go func() {
+		buf := make([]byte, 2048)
+		for {
+			size, err := dcConnection.Read(buf)
+			if err != nil {
+				fmt.Printf("writer broken, size: %d\n", size)
+				writerJoinChannel <- err
+				return
+			}
+			cryptDc.decryptNext(buf[:size])
+			fmt.Printf("dc dec: %s\n", hex.EncodeToString(buf[:size]))
+			cryptClient.encryptNext(buf[:size])
+			_, err = stream.Write(buf[:size])
+			if err != nil {
+				writerJoinChannel <- err
+				return
+			}
+		}
+	}()
+	r = &obfuscatedRouter{
+		cryptClient:       cryptClient,
+		cryptDc:           cryptDc,
+		stream:            stream,
+		readerJoinChannel: readerJoinChannel,
+		writerJoinChannel: writerJoinChannel,
+	}
+	return r, nil
+}
+
+func (r obfuscatedRouter) Wait() {
+	<-r.readerJoinChannel
+	<-r.writerJoinChannel
+}
+
+func connectDC(dc int) (c net.Conn, err error) {
+	if dc < 0 {
+		dc = -dc
+	}
+	if dc < 1 || dc > len(dc_ip4) {
+		return nil, fmt.Errorf("invalid dc %d", dc)
+	}
+	dc_addr := dc_ip4[dc-1] + ":" + dc_port
+	c, err = net.Dial("tcp", dc_addr)
+	if err != nil {
+		return nil, err
+	}
+	return c, nil
+}

obfuscated_test.go

@@ -0,0 +1,25 @@
+package main
+
+import "testing"
+
+func TestGenInits(t *testing.T) {
+	//lint:ignore SA4006 this is a test
+	init, err := genHeader()
+	if err != nil {
+		t.Fatal(err)
+	}
+	if len(init) != initialHeaderSize {
+		t.Fatal("wrong init length")
+	}
+}
+
+func TestDecryptInit(t *testing.T) {
+	var init [initialHeaderSize]byte
+	for i := 0; i < len(init); i++ {
+		init[i] = byte(i)
+	}
+	dec := decryptInit(init)
+	if dec[0] != 55 || dec[47] != 8 {
+		t.Errorf("dec[0]=%d, dec[47]=%d", dec[0], dec[47])
+	}
+}

secret.go

@@ -0,0 +1,58 @@
+package main
+
+import (
+	"encoding/hex"
+	"fmt"
+)
+
+type SecretType int
+
+const simpleSecretLen = 16
+
+const (
+	Simple  SecretType = 1
+	Secured            = 2
+	FakeTLS            = 3
+)
+
+type Secret struct {
+	RawSecret []byte
+	Type      SecretType
+	Tag       byte
+	Fakehost  string
+}
+
+// Generate secret from  hex string
+func NewSecretHex(secret string) (*Secret, error) {
+	secretBytes, err := hex.DecodeString(secret)
+	if err != nil {
+		return nil, err
+	}
+	return NewSecret(secretBytes)
+}
+
+// Generate secret from byte array
+func NewSecret(secret []byte) (*Secret, error) {
+	switch {
+	case len(secret) == simpleSecretLen:
+		return &Secret{
+			RawSecret: secret,
+			Type:      Simple,
+		}, nil
+	case len(secret) == simpleSecretLen+1:
+		return &Secret{
+			RawSecret: secret[1 : simpleSecretLen+1],
+			Type:      Secured,
+			Tag:       secret[0],
+		}, nil
+	case len(secret) > simpleSecretLen+1:
+		return &Secret{
+			RawSecret: secret[1 : simpleSecretLen+1],
+			Type:      FakeTLS,
+			Tag:       secret[0],
+			Fakehost:  string(secret[simpleSecretLen+1:]),
+		}, nil
+	default:
+		return nil, fmt.Errorf("Incorrect secret length: %d", len(secret))
+	}
+}