Merge branch 'master' into staging-client

Psiphon-Labs · Dec 5, 2022 · 5641695 · 5641695
2 parents ca5adc9 + 5c99afd
commit 5641695
Show file tree

Hide file tree

Showing 1,142 changed files with 174,473 additions and 43,989 deletions.
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -15,7 +15,7 @@ jobs:
       fail-fast: false
       matrix:
         os: [ "ubuntu" ]
-        go: [ "1.17.13" ]
+        go: [ "1.19.2" ]
         test-type: [ "detector", "coverage", "memory" ]
 
     runs-on: ${{ matrix.os }}-latest
@@ -28,17 +28,16 @@ jobs:
 
     env:
       GOPATH: ${{ github.workspace }}/go
-      GO111MODULE: off
 
     steps:
 
       - name: Clone repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           path: ${{ github.workspace }}/go/src/github.com/Psiphon-Labs/psiphon-tunnel-core
 
       - name: Install Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v3
         with:
           go-version: ${{ matrix.go }}
 
@@ -51,10 +50,10 @@ jobs:
       - name: Install coverage tools
         if: ${{ matrix.test-type == 'coverage' }}
         run: |
-          go get github.com/axw/gocov/gocov
-          go get github.com/modocache/gover
-          go get github.com/mattn/goveralls
-          go get golang.org/x/tools/cmd/cover
+          go install github.com/axw/gocov/gocov@latest
+          go install github.com/modocache/gover@latest
+          go install github.com/mattn/goveralls@latest
+          go install golang.org/x/tools/cmd/cover@latest
 
       - name: Check environment
         run: |

diff --git a/ClientLibrary/Dockerfile b/ClientLibrary/Dockerfile
@@ -21,7 +21,7 @@ RUN apt-get update -y && apt-get install -y --no-install-recommends \
 
 # Install Go.
 # NOTE: Go 1.10+ is required to build c-shared for windows (https://github.com/golang/go/commit/bb0bfd002ada7e3eb9198d4287b32c2fed6e8da6)
-ENV GOVERSION=go1.17.13 GOROOT=/usr/local/go GOPATH=/go PATH=$PATH:/usr/local/go/bin:/go/bin CGO_ENABLED=1
+ENV GOVERSION=go1.19.2 GOROOT=/usr/local/go GOPATH=/go PATH=$PATH:/usr/local/go/bin:/go/bin CGO_ENABLED=1
 
 RUN curl -L https://storage.googleapis.com/golang/$GOVERSION.linux-amd64.tar.gz -o /tmp/go.tar.gz \
    && tar -C /usr/local -xzf /tmp/go.tar.gz \

diff --git a/ClientLibrary/build-darwin.sh b/ClientLibrary/build-darwin.sh
@@ -9,12 +9,8 @@ if [ -z ${2+x} ]; then BUILD_TAGS=""; else BUILD_TAGS="$2"; fi
 # Note:
 #   clangwrap.sh needs to be updated when the Go version changes.
 #   The last version was:
-#   https://github.com/golang/go/blob/go1.17.13/misc/ios/clangwrap.sh
-#     - with a patch to lower -mios-version-min to 7.0
-GO_VERSION_REQUIRED="1.17.13"
-
-# At this time, we don't support modules
-export GO111MODULE=off
+#   https://github.com/golang/go/blob/go1.19.2/misc/ios/clangwrap.sh
+GO_VERSION_REQUIRED="1.19.2"
 
 BASE_DIR=$(cd "$(dirname "$0")" ; pwd -P)
 cd ${BASE_DIR}

diff --git a/ClientLibrary/clangwrap.sh b/ClientLibrary/clangwrap.sh
@@ -17,4 +17,4 @@ export IPHONEOS_DEPLOYMENT_TARGET=5.1
 # cmd/cgo doesn't support llvm-gcc-4.2, so we have to use clang.
 CLANG=`xcrun --sdk $SDK --find clang`
 
-exec "$CLANG" -arch $CLANGARCH -isysroot "$SDK_PATH" -m${PLATFORM}-version-min=7.0 "$@"
+exec "$CLANG" -arch $CLANGARCH -isysroot "$SDK_PATH" -m${PLATFORM}-version-min=12.0 "$@"
diff --git a/ClientLibrary/example/Makefile b/ClientLibrary/example/Makefile
@@ -5,8 +5,7 @@ main.o: main.c
 	gcc -I.. -c main.c
 
 libpsiphontunnel.so: ../PsiphonTunnel.go
-	# At this time, we don't support modules
-	GO111MODULE=off go build -buildmode=c-shared -o libpsiphontunnel.so ../PsiphonTunnel.go
+	go build -buildmode=c-shared -o libpsiphontunnel.so ../PsiphonTunnel.go
 
 clean:
 	rm libpsiphontunnel.so libpsiphontunnel.h main main.o

diff --git a/ClientLibrary/make.bash b/ClientLibrary/make.bash
@@ -16,9 +16,6 @@ if [ ! -d ${BUILD_DIR} ]; then
   mkdir ${BUILD_DIR}
 fi
 
-# At this time, we don't support modules
-export GO111MODULE=off
-
 prepare_build () {
 
   BUILDDATE=$(date --iso-8601=seconds)

diff --git a/ConsoleClient/Dockerfile b/ConsoleClient/Dockerfile
@@ -22,14 +22,11 @@ RUN apt-get update -y && apt-get install -y --no-install-recommends \
   && rm -rf /var/lib/apt/lists/*
 
 # Install Go.
-ENV GOVERSION=go1.17.13 GOROOT=/usr/local/go GOPATH=/go PATH=$PATH:/usr/local/go/bin:/go/bin CGO_ENABLED=1
+ENV GOVERSION=go1.19.2 GOROOT=/usr/local/go GOPATH=/go PATH=$PATH:/usr/local/go/bin:/go/bin CGO_ENABLED=1
 
 RUN curl -L https://storage.googleapis.com/golang/$GOVERSION.linux-amd64.tar.gz -o /tmp/go.tar.gz \
    && tar -C /usr/local -xzf /tmp/go.tar.gz \
    && rm /tmp/go.tar.gz \
    && echo $GOVERSION > $GOROOT/VERSION
 
-# Get external Go dependencies.
-RUN go get github.com/pwaller/goupx
-
 WORKDIR $GOPATH/src/github.com/Psiphon-Labs/psiphon-tunnel-core/ConsoleClient
diff --git a/ConsoleClient/make.bash b/ConsoleClient/make.bash
@@ -10,9 +10,6 @@ fi
 # $2, if specified, is go build tags
 if [ -z ${2+x} ]; then BUILD_TAGS=""; else BUILD_TAGS="$2"; fi
 
-# At this time, we don't support modules
-export GO111MODULE=off
-
 EXE_BASENAME="psiphon-tunnel-core"
 
 prepare_build () {
@@ -98,10 +95,10 @@ build_for_linux () {
   unset RETVAL
 
   echo "....UPX packaging output"
-  goupx --best bin/linux/${EXE_BASENAME}-i686
+  upx --best bin/linux/${EXE_BASENAME}-i686
   RETVAL=$?
   if [ $RETVAL != 0 ]; then
-    echo ".....goupx failed, exiting"
+    echo ".....upx failed, exiting"
     exit $RETVAL
   fi
   unset RETVAL
@@ -116,10 +113,10 @@ build_for_linux () {
   unset RETVAL
 
   echo "....UPX packaging output"
-  goupx --best bin/linux/${EXE_BASENAME}-x86_64
+  upx --best bin/linux/${EXE_BASENAME}-x86_64
   RETVAL=$?
   if [ $RETVAL != 0 ]; then
-    echo ".....goupx failed, exiting"
+    echo ".....upx failed, exiting"
     exit $RETVAL
   fi
   unset RETVAL

diff --git a/MobileLibrary/Android/Dockerfile b/MobileLibrary/Android/Dockerfile
@@ -19,7 +19,7 @@ RUN apt-get update -y && apt-get install -y --no-install-recommends \
   && rm -rf /var/lib/apt/lists/*
 
 # Install Go.
-ENV GOVERSION=go1.17.13 GOROOT=/usr/local/go GOPATH=/go PATH=$PATH:/usr/local/go/bin:/go/bin CGO_ENABLED=1
+ENV GOVERSION=go1.19.2 GOROOT=/usr/local/go GOPATH=/go PATH=$PATH:/usr/local/go/bin:/go/bin CGO_ENABLED=1
 
 RUN curl -L https://storage.googleapis.com/golang/$GOVERSION.linux-amd64.tar.gz -o /tmp/go.tar.gz \
   && tar -C /usr/local -xzf /tmp/go.tar.gz \

diff --git a/MobileLibrary/Android/PsiphonTunnel/PsiphonTunnel.java b/MobileLibrary/Android/PsiphonTunnel/PsiphonTunnel.java
@@ -33,6 +33,7 @@
 import android.os.Build;
 import android.os.ParcelFileDescriptor;
 import android.telephony.TelephonyManager;
+import android.text.TextUtils;
 import android.util.Base64;
 
 import org.json.JSONArray;
@@ -705,7 +706,7 @@ private String getDNSServers(Context context, HostLogger logger) {
 
         try {
             // Use the workaround, comma-delimited format required for gobind.
-            servers = String.join(",", getActiveNetworkDNSServers(context, mVpnMode.get()));
+            servers = TextUtils.join(",", getActiveNetworkDNSServers(context, mVpnMode.get()));
         } catch (Exception e) {
             logger.onDiagnosticMessage("failed to get active network DNS resolver: " + e.getMessage());
             // Alternate DNS servers will be provided by psiphon-tunnel-core
@@ -1564,7 +1565,7 @@ private void setCurrentActiveNetworkAndProperties(Network network) {
                         } catch (java.lang.Exception e) {
                         }
                         // Use the workaround, comma-delimited format required for gobind.
-                        activeNetworkDNSServers.set(String.join(",", servers));
+                        activeNetworkDNSServers.set(TextUtils.join(",", servers));
 
                         String message = "NetworkMonitor: set current active network " + networkType;
                         if (!servers.isEmpty()) {

diff --git a/MobileLibrary/Android/PsiphonTunnel/libs/x86_64/libtun2socks.so b/MobileLibrary/Android/PsiphonTunnel/libs/x86_64/libtun2socks.so
diff --git a/MobileLibrary/Android/make.bash b/MobileLibrary/Android/make.bash
@@ -72,23 +72,7 @@ echo " Gomobile version: ${GOMOBILEVERSION}"
 echo " Dependencies: ${DEPENDENCIES}"
 echo ""
 
-# Note: android/386 is x86, which is used on both x86 and x86_64 Android
-# devices. We are excluding the android/amd64, x86_64, ABI as it causes a
-# crash in Android x86_64 emulators: "seccomp prevented call to disallowed
-# x86_64 system call 22". x86/linux syscall 22 is pipe.
-#
-# In Android seccomp config, pipe is permitted only for 32-bit platforms:
-# https://android.googlesource.com/platform/bionic/+/2b499046f10487802bfbaaf4429160595d08b22c/libc/SECCOMP_WHITELIST_APP.TXT#7.
-#
-# The Go syscall.Pipe on linux(android)/amd64 is the disallowed pipe:
-# https://github.com/golang/go/blob/release-branch.go1.14/src/syscall/syscall_linux_amd64.go#L115-L126
-#
-# A potential future fix is to use the allowed pipe2,
-# https://android.googlesource.com/platform/bionic/+/2b499046f10487802bfbaaf4429160595d08b22c/libc/SYSCALLS.TXT#129,
-# which is what linux(android)/arm64 uses, for example:
-# https://github.com/golang/go/blob/release-branch.go1.14/src/syscall/syscall_linux_arm64.go#L150-L159.
-
-gomobile bind -v -x -target=android/arm,android/arm64,android/386 -tags="${BUILD_TAGS}" -ldflags="$LDFLAGS" github.com/Psiphon-Labs/psiphon-tunnel-core/MobileLibrary/psi
+gomobile bind -v -x -target=android/arm,android/arm64,android/386,android/amd64 -tags="${BUILD_TAGS}" -ldflags="$LDFLAGS" github.com/Psiphon-Labs/psiphon-tunnel-core/MobileLibrary/psi
 if [ $? != 0 ]; then
   echo "..'gomobile bind' failed, exiting"
   exit $?
@@ -100,6 +84,7 @@ yes | cp -f PsiphonTunnel/AndroidManifest.xml build-tmp/psi/AndroidManifest.xml
 yes | cp -f PsiphonTunnel/libs/armeabi-v7a/libtun2socks.so build-tmp/psi/jni/armeabi-v7a/libtun2socks.so
 yes | cp -f PsiphonTunnel/libs/arm64-v8a/libtun2socks.so build-tmp/psi/jni/arm64-v8a/libtun2socks.so
 yes | cp -f PsiphonTunnel/libs/x86/libtun2socks.so build-tmp/psi/jni/x86/libtun2socks.so
+yes | cp -f PsiphonTunnel/libs/x86_64/libtun2socks.so build-tmp/psi/jni/x86_64/libtun2socks.so
 mkdir -p build-tmp/psi/res/xml
 yes | cp -f PsiphonTunnel/ca_psiphon_psiphontunnel_backup_rules.xml build-tmp/psi/res/xml/ca_psiphon_psiphontunnel_backup_rules.xml
 

diff --git a/MobileLibrary/iOS/PsiphonTunnel/PsiphonTunnel/PsiphonTunnel.m b/MobileLibrary/iOS/PsiphonTunnel/PsiphonTunnel/PsiphonTunnel.m
@@ -848,6 +848,24 @@ + (NSString * _Nullable)buildPsiphonConfig:(id _Nonnull)configObject
 
     }
 
+    // Where required, enable TransferURLsAlwaysSkipVerify, which overrides
+    // the TransferURL.SkipVerify configuration for remote server list
+    // downloads and feedback uploads. Both of these operations have
+    // additional security at the payload level. Verifying TLS certificates
+    // is preferred, as an additional security and circumvention layer, but
+    // is not possible in these circumstances:
+    // - On iOS < 12, Go 1.18+ does not support loading the system root CAs.
+    // - On iOS < 15 and in the VPN extension, loading the system root CAs
+    //   exceeds the extension memory limit.
+
+    BOOL alwaysSkipVerify = TRUE;
+    if (@available(iOS 15.0, *)) {
+        alwaysSkipVerify = FALSE;
+    } else if (@available(iOS 12.0, *)) {
+        alwaysSkipVerify = *tunnelWholeDevice;
+    }
+    config[@"TransferURLsAlwaysSkipVerify"] = @(alwaysSkipVerify);
+
     NSString *finalConfigStr = [[[SBJson4Writer alloc] init] stringWithObject:config];
 
     if (finalConfigStr == nil) {

diff --git a/MobileLibrary/iOS/build-psiphon-framework.sh b/MobileLibrary/iOS/build-psiphon-framework.sh
@@ -5,7 +5,7 @@ set -e -u -x
 if [ -z ${1+x} ]; then BUILD_TAGS=""; else BUILD_TAGS="$1"; fi
 
 # Modify this value as we use newer Go versions.
-GO_VERSION_REQUIRED="1.17.13"
+GO_VERSION_REQUIRED="1.19.2"
 
 # At this time, psiphon-tunnel-core doesn't support modules
 export GO111MODULE=off

diff --git a/Server/Dockerfile-binary-builder b/Server/Dockerfile-binary-builder
@@ -1,6 +1,6 @@
 FROM alpine:3.10.2
 
-ENV GOLANG_VERSION 1.17.13
+ENV GOLANG_VERSION 1.19.2
 ENV GOLANG_SRC_URL https://golang.org/dl/go$GOLANG_VERSION.src.tar.gz
 
 RUN set -ex \

diff --git a/Server/make.bash b/Server/make.bash
@@ -13,9 +13,6 @@ fi
 # $1, if specified, is go build tags
 if [ -z ${1+x} ]; then BUILD_TAGS=""; else BUILD_TAGS="$1"; fi
 
-# At this time, we don't support modules
-export GO111MODULE=off
-
 prepare_build () {
   BUILDINFOFILE="psiphond_buildinfo.txt"
   BUILDDATE=$(date -Iseconds)

diff --git a/go.mod b/go.mod
@@ -0,0 +1,92 @@
+module github.com/Psiphon-Labs/psiphon-tunnel-core
+
+go 1.19
+
+// When this is the main module, use a patched version of
+// refraction/gotapdance with
+// https://github.com/Psiphon-Labs/psiphon-tunnel-core/commit/2a4121d9
+replace github.com/refraction-networking/gotapdance => ./replace/gotapdance
+
+// When this is the main module, gitlab.com/yawning/obfs4, used by
+// refraction-networking/gotapdance, is pinned at 816cff15 the last revision
+// published without a GPL license. This version lacks obfuscation
+// improvements added in revision 1a6129b6, but these changes apply only on
+// the server side.
+replace gitlab.com/yawning/obfs4.git => ./replace/obfs4.git
+
+require (
+	github.com/Psiphon-Inc/rotate-safe-writer v0.0.0-20210303140923-464a7a37606e
+	github.com/Psiphon-Labs/bolt v0.0.0-20200624191537-23cedaef7ad7
+	github.com/Psiphon-Labs/goptlib v0.0.0-20200406165125-c0e32a7a3464
+	github.com/Psiphon-Labs/quic-go v0.0.0-20221014165902-1b7c3975fcf3
+	github.com/Psiphon-Labs/tls-tris v0.0.0-20210713133851-676a693d51ad
+	github.com/armon/go-proxyproto v0.0.0-20180202201750-5b7edb60ff5f
+	github.com/bifurcation/mint v0.0.0-20180306135233-198357931e61
+	github.com/cheekybits/genny v0.0.0-20170328200008-9127e812e1e9
+	github.com/cognusion/go-cache-lru v0.0.0-20170419142635-f73e2280ecea
+	github.com/deckarep/golang-set v0.0.0-20171013212420-1d4478f51bed
+	github.com/dgraph-io/badger v1.5.4-0.20180815194500-3a87f6d9c273
+	github.com/elazarl/goproxy v0.0.0-20200809112317-0581fc3aee2d
+	github.com/elazarl/goproxy/ext v0.0.0-20200809112317-0581fc3aee2d
+	github.com/florianl/go-nfqueue v1.1.1-0.20200829120558-a2f196e98ab0
+	github.com/gobwas/glob v0.2.4-0.20180402141543-f00a7392b439
+	github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e
+	github.com/google/gopacket v1.1.19-0.20200831200443-df1bbd09a561
+	github.com/grafov/m3u8 v0.0.0-20171211212457-6ab8f28ed427
+	github.com/hashicorp/golang-lru v0.0.0-20180201235237-0fb14efe8c47
+	github.com/juju/ratelimit v1.0.2
+	github.com/marusama/semaphore v0.0.0-20171214154724-565ffd8e868a
+	github.com/miekg/dns v1.1.44-0.20210804161652-ab67aa642300
+	github.com/mitchellh/panicwrap v0.0.0-20170106182340-fce601fe5557
+	github.com/oschwald/maxminddb-golang v1.2.1-0.20170901134056-26fe5ace1c70
+	github.com/patrickmn/go-cache v2.1.0+incompatible
+	github.com/refraction-networking/gotapdance v1.2.0
+	github.com/refraction-networking/utls v1.1.3
+	github.com/ryanuber/go-glob v0.0.0-20170128012129-256dc444b735
+	github.com/sirupsen/logrus v1.8.1
+	github.com/stretchr/testify v1.7.1
+	github.com/syndtr/gocapability v0.0.0-20170704070218-db04d3cc01c8
+	github.com/wader/filtertransport v0.0.0-20200316221534-bdd9e61eee78
+	github.com/zach-klippenstein/goregen v0.0.0-20160303162051-795b5e3961ea
+	golang.org/x/crypto v0.0.0-20221012134737-56aed061732a
+	golang.org/x/net v0.0.0-20221014081412-f15817d10f9b
+	golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4
+	golang.org/x/sys v0.0.0-20221013171732-95e765b1cc43
+	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211
+)
+
+require (
+	git.torproject.org/pluggable-transports/goptlib.git v1.2.0 // indirect
+	github.com/AndreasBriese/bbloom v0.0.0-20170702084017-28f7e881ca57 // indirect
+	github.com/BurntSushi/toml v0.3.1 // indirect
+	github.com/Psiphon-Labs/qtls-go1-18 v0.0.0-20221014170512-3bdc7291c091 // indirect
+	github.com/Psiphon-Labs/qtls-go1-19 v0.0.0-20221014165721-ed28749db082 // indirect
+	github.com/agl/ed25519 v0.0.0-20170116200512-5312a6153412 // indirect
+	github.com/andybalholm/brotli v1.0.5-0.20220518190645-786ec621f618 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/dchest/siphash v1.2.3-0.20201109081723-a21c2e7914a8 // indirect
+	github.com/dgryski/go-farm v0.0.0-20180109070241-2de33835d102 // indirect
+	github.com/golang/mock v1.6.0 // indirect
+	github.com/golang/protobuf v1.5.3-0.20210916003710-5d5e8c018a13 // indirect
+	github.com/google/go-cmp v0.5.8 // indirect
+	github.com/google/gxui v0.0.0-20151028112939-f85e0a97b3a4 // indirect
+	github.com/josharian/native v1.0.0 // indirect
+	github.com/kardianos/osext v0.0.0-20170510131534-ae77be60afb1 // indirect
+	github.com/klauspost/compress v1.15.10-0.20220729101446-5a3a4a965cc6 // indirect
+	github.com/marten-seemann/qpack v0.2.1 // indirect
+	github.com/mdlayher/netlink v1.4.2-0.20210930205308-a81a8c23d40a // indirect
+	github.com/mdlayher/socket v0.0.0-20210624160740-9dbe287ded84 // indirect
+	github.com/mroth/weightedrand v0.4.1 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/sergeyfrolov/bsbuffer v0.0.0-20180903213811-94e85abb8507 // indirect
+	github.com/smartystreets/goconvey v1.7.2 // indirect
+	gitlab.com/yawning/obfs4.git v0.0.0-20190120164510-816cff15f425 // indirect
+	golang.org/x/exp v0.0.0-20221012211006-4de253d81b95 // indirect
+	golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 // indirect
+	golang.org/x/text v0.3.7 // indirect
+	golang.org/x/tools v0.1.12 // indirect
+	google.golang.org/protobuf v1.28.0 // indirect
+	gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c // indirect
+	honnef.co/go/tools v0.2.1 // indirect
+)