Merge branch 'master' into utls-transport

Author: jmwample

Makefile

@@ -36,10 +36,28 @@ conjure-sim: detect.c loadkey.c rust_util.c rust libtapdance
 registration-server:
 	cd ./cmd/registration-server/ && make
 
-# Note this copies in the whole current directory as context and results in
-# overly large context. should not be used to build release/production images.
-custom-build:
-	docker build --build-arg CUSTOM_BUILD=1 -f docker/Dockerfile .
+PARAMS := det app reg zbalance sim
+target := unk
+# makefile arguments take preference, if one is not provided we check the environment variable.
+# If that is also missing then we use "latest" and install pfring from pkg in the docker build.
+ifndef pfring_ver
+	ifdef PFRING_VER
+		pfring_ver := ${PFRING_VER}
+	else
+		pfring_ver := latest
+	endif
+endif
+
+container:
+ifeq (unk,$(target))
+	DOCKER_BUILDKIT=1 docker build -t conjure -t pf-$(pfring_ver) -f  docker/Dockerfile --build-arg pfring_ver=$(pfring_ver) .
+#	@printf "DOCKER_BUILDKIT=1 docker build -t conjure -f  docker/Dockerfile --build-arg pfring_ver=$(pfring_ver) .\n"
+else ifneq  (,$(findstring $(target), $(PARAMS)))
+	DOCKER_BUILDKIT=1 docker build --target conjure_$(target) -t conjure_$(target) -t pf-$(pfring_ver) -f docker/Dockerfile --build-arg pfring_ver=$(pfring_ver) .
+#	@printf "DOCKER_BUILDKIT=1 docker build --target conjure_$(target) -t conjure_$(target) -f docker/Dockerfile --build-arg pfring_ver=$(pfring_ver) .\n"
+else
+	@printf "unrecognized container target $(target) - please use one of [ $(PARAMS) ]\n"
+endif
 
 
 backup-config:

application/config.toml

@@ -10,8 +10,10 @@ socket_name = "zmq-proxy"
 
 # Absolute path to private key to use when authenticating with servers.
 # Can be either privkey or privkey || pubkey; only first 32 bytes will
-# be used.
-privkey_path = "/opt/conjure/sysconfig/privkey"
+# be used. If this is blank then the environment variable CJ_PRIVKEY
+# which is defined in conjure.conf will be used (if that fails to parse
+# the station will shutdown).
+privkey_path = ""
 
 # Time in milliseconds to wait between sending heartbeats.
 # Heartbeats are only sent when other traffic doesn't come through;
@@ -75,7 +77,7 @@ covert_blocklist_subnets = [
 
 # Automatically add all addresses and subnets associated with local devices to
 # the blocklist.
-covert_blocklist_public_addrs = false
+covert_blocklist_public_addrs = true
 
 # Override the blocklist providing a more restrictive allowlist. Any addresses
 # not explicitly included in an allowlisted subnet will be considered

application/lib/config.go

@@ -20,9 +20,10 @@ type Config struct {
 // variable.
 func ParseConfig() (*Config, error) {
 	var c Config
-	_, err := toml.DecodeFile(os.Getenv("CJ_STATION_CONFIG"), &c)
+	var envPath = os.Getenv("CJ_STATION_CONFIG")
+	_, err := toml.DecodeFile(envPath, &c)
 	if err != nil {
-		return nil, fmt.Errorf("failed to load config: %v", err)
+		return nil, fmt.Errorf("failed to load config (%s): %v", envPath, err)
 	}
 
 	c.ParseBlocklists()

application/lib/zmq_proxy.go

@@ -145,7 +145,12 @@ func (zi *ZMQIngester) PrintAndReset(logger *log.Logger) {
 // location of the config file with the CJ_PROXY_CONFIG environment variable.
 func (zi *ZMQIngester) proxyZMQ() {
 
-	privkey, err := os.ReadFile(zi.PrivateKeyPath)
+	privkeyPath := zi.PrivateKeyPath
+	if privkeyPath == "" {
+		privkeyPath = os.Getenv("CJ_PRIVKEY")
+	}
+
+	privkey, err := os.ReadFile(privkeyPath)
 	if err != nil {
 		zi.logger.Fatalln("failed to load private key:", err)
 	}

application/transports/anypb_nourl.go

@@ -0,0 +1,26 @@
+package transports
+
+import (
+	"fmt"
+
+	"google.golang.org/protobuf/proto"
+	"google.golang.org/protobuf/reflect/protoreflect"
+	"google.golang.org/protobuf/types/known/anypb"
+)
+
+// UnmarshalAnypbTo unmarshals the src anypb to dst without reading the src type url.
+// Used to unmarshal TransportParams in the registration message for saving space from
+// the type url so that the registration payload is small enough for the DNS registrar.
+func UnmarshalAnypbTo(src *anypb.Any, dst protoreflect.ProtoMessage) error {
+	expected, err := anypb.New(dst)
+	if err != nil {
+		return fmt.Errorf("error reading src type: %v", err)
+	}
+
+	if src.TypeUrl != "" && src.TypeUrl != expected.TypeUrl {
+		return fmt.Errorf("incorrect non-empty TypeUrl: %v != %v", src.TypeUrl, expected.TypeUrl)
+	}
+
+	src.TypeUrl = expected.TypeUrl
+	return anypb.UnmarshalTo(src, dst, proto.UnmarshalOptions{})
+}

application/transports/anypb_nourl_test.go

@@ -0,0 +1,57 @@
+package transports_test
+
+import (
+	"math/rand"
+	"testing"
+
+	"github.com/refraction-networking/conjure/application/transports"
+	pb "github.com/refraction-networking/gotapdance/protobuf"
+	"github.com/stretchr/testify/require"
+	"google.golang.org/protobuf/proto"
+	"google.golang.org/protobuf/types/known/anypb"
+)
+
+func TestUnmarshall(t *testing.T) {
+	src, err := anypb.New(&pb.GenericTransportParams{RandomizeDstPort: proto.Bool(true)})
+	require.Nil(t, err)
+	src.TypeUrl = ""
+
+	dst := &pb.GenericTransportParams{}
+	err = transports.UnmarshalAnypbTo(src, dst)
+	require.Nil(t, err)
+
+	require.True(t, dst.GetRandomizeDstPort())
+}
+
+func TestMissingTypeURL(t *testing.T) {
+	src, err := anypb.New(&pb.GenericTransportParams{RandomizeDstPort: proto.Bool(true)})
+	require.Nil(t, err)
+	src.TypeUrl = ""
+
+	dst := &pb.GenericTransportParams{}
+	err = anypb.UnmarshalTo(src, dst, proto.UnmarshalOptions{})
+	require.NotNil(t, err)
+}
+
+func TestWrongType(t *testing.T) {
+	src, err := anypb.New(&pb.ClientToStation{Padding: []byte{0, 1}})
+	require.Nil(t, err)
+
+	dst := &pb.GenericTransportParams{}
+	err = transports.UnmarshalAnypbTo(src, dst)
+	require.NotNil(t, err)
+}
+
+func TestGarbage(t *testing.T) {
+	src, err := anypb.New(&pb.GenericTransportParams{RandomizeDstPort: proto.Bool(true)})
+	require.Nil(t, err)
+	garbagebytes, err := proto.Marshal(src)
+	require.Nil(t, err)
+	_, err = rand.Read(garbagebytes)
+	require.Nil(t, err)
+
+	dstAnypb := &anypb.Any{}
+
+	err = proto.Unmarshal(garbagebytes, dstAnypb)
+	require.NotNil(t, err)
+}