add proxy auth feature

2015-06-26 18:10:26 +08:00 · 2015-06-26 18:10:26 +08:00 · 6b8d16042e
commit 6b8d16042e
parent 8e568b6451
5 changed files with 190 additions and 91 deletions
--- a/client.go
+++ b/client.go
@ -5,6 +5,7 @@ import (
 	"bytes"
 	"crypto/tls"
 	"encoding/binary"
 	"errors"
 	"fmt"
 	"github.com/ginuerzh/gosocks5"
 	"github.com/gorilla/websocket"
@ -58,10 +59,18 @@ func listenAndServe(addr string, handler func(net.Conn)) error {
 func clientMethodSelected(method uint8, conn net.Conn) (net.Conn, error) {
 	switch method {
 	case gosocks5.MethodUserPass:
 		user, pass := parseUserPass(Password)
 		if err := clientSocksAuth(conn, user, pass); err != nil {
 			return nil, err
 		}
 	case MethodTLS, MethodTLSAuth:
 		conn = tls.Client(conn, &tls.Config{InsecureSkipVerify: true})
 		if method == MethodTLSAuth {
-			if err := cliTLSAuth(conn); err != nil {
+			if len(Password) == 0 {
 				return nil, ErrEmptyAuth
 			}
 			if err := clientSocksAuth(conn, "", Password); err != nil {
 				return nil, err
 			}
 		}
@ -80,26 +89,6 @@ func clientMethodSelected(method uint8, conn net.Conn) (net.Conn, error) {
 	return conn, nil
 }
 func cliTLSAuth(conn net.Conn) error {
 	if len(Password) == 0 {
 		return ErrEmptyPassword
 	}
 	if err := gosocks5.NewUserPassRequest(
 		gosocks5.UserPassVer, "", Password).Write(conn); err != nil {
 		return err
 	}
 	res, err := gosocks5.ReadUserPassResponse(conn)
 	if err != nil {
 		return err
 	}
 	if res.Status != gosocks5.Succeeded {
 		return gosocks5.ErrAuthFailure
 	}
 	return nil
 }
 func makeTunnel() (c net.Conn, err error) {
 	if UseWebsocket || !UseHttp {
 		c, err = connect(Saddr)
@ -161,21 +150,19 @@ func cliHandle(conn net.Conn) {
 	}
 	if b[0] == gosocks5.Ver5 {
-		length := 2 + int(b[1])
+		mn := int(b[1]) // methods count
 		length := 2 + mn
 		if n < length {
 			if _, err := io.ReadFull(conn, b[n:length]); err != nil {
 				return
 			}
 		}
-		if err := gosocks5.WriteMethod(gosocks5.MethodNoAuth, conn); err != nil {
+		methods := b[2 : 2+mn]
-			return
+		handleSocks5(conn, methods)
 		}
 		handleSocks5(conn)
 		return
 	}
-
+	log.Println(string(b[:n]))
 	for {
 		if bytes.HasSuffix(b[:n], []byte("\r\n\r\n")) {
 			break
@ -197,7 +184,51 @@ func cliHandle(conn net.Conn) {
 	handleHttp(req, conn)
 }
-func handleSocks5(conn net.Conn) {
+func selectMethod(conn net.Conn, methods ...uint8) error {
 	m := gosocks5.MethodNoAuth
 	if listenUrl.User != nil {
 		for _, method := range methods {
 			if method == gosocks5.MethodUserPass {
 				m = method
 				break
 			}
 		}
 		if m != gosocks5.MethodUserPass {
 			m = gosocks5.MethodNoAcceptable
 		}
 	}
 	if err := gosocks5.WriteMethod(m, conn); err != nil {
 		return err
 	}
 	log.Println(m)
 	switch m {
 	case gosocks5.MethodUserPass:
 		var username, password string
 		if listenUrl != nil && listenUrl.User != nil {
 			username = listenUrl.User.Username()
 			password, _ = listenUrl.User.Password()
 		}
 		if err := serverSocksAuth(conn, username, password); err != nil {
 			return err
 		}
 	case gosocks5.MethodNoAcceptable:
 		return gosocks5.ErrBadMethod
 	}
 	return nil
 }
 func handleSocks5(conn net.Conn, methods []uint8) {
 	if err := selectMethod(conn, methods...); err != nil {
 		log.Println(err)
 		return
 	}
 	req, err := gosocks5.ReadRequest(conn)
 	if err != nil {
 		return
@ -301,10 +332,35 @@ func cliTunnelUDP(uconn *net.UDPConn, sconn net.Conn) {
 	}
 }
 func clientHttpAuth(req *http.Request, conn net.Conn, username, password string) error {
 	u, p, ok := req.BasicAuth()
 	if !ok ||
 		(len(username) > 0 && u != username) ||
 		(len(password) > 0 && p != password) {
 		conn.Write([]byte("HTTP/1.1 401 Not Authorized\r\n" +
 			"WWW-Authenticate: Basic realm=\"Authorization Required\"\r\n" +
 			"Proxy-Agent: gost/" + Version + "\r\n\r\n"))
 		return errors.New("Not Authorized")
 	}
 	return nil
 }
 func handleHttp(req *http.Request, conn net.Conn) {
 	var host string
 	var port uint16
 	if listenUrl != nil && listenUrl.User != nil {
 		username := listenUrl.User.Username()
 		password, _ := listenUrl.User.Password()
 		if err := clientHttpAuth(req, conn, username, password); err != nil {
 			log.Println(err)
 			return
 		}
 	}
 	s := strings.Split(req.Host, ":")
 	host = s[0]
 	port = 80
--- a/main.go
+++ b/main.go
@ -3,7 +3,6 @@ package main
 import (
 	"flag"
 	//"github.com/ginuerzh/gosocks5"
 	"log"
 	"net/url"
 	"time"
@ -18,7 +17,8 @@ var (
 	CertFile, KeyFile     string
 	PrintVersion          bool
-	proxyURL *url.URL
+	proxyURL  *url.URL
 	listenUrl *url.URL
 )
 func init() {
@ -40,6 +40,7 @@ func init() {
 	log.SetFlags(log.LstdFlags | log.Lshortfile)
 	proxyURL, _ = parseURL(Proxy)
 	listenUrl, _ = parseURL(Laddr)
 }
 var (
@ -54,18 +55,20 @@ func main() {
 		return
 	}
 	laddr := listenUrl.Host
 	if len(Saddr) == 0 {
 		var server Server
 		if UseWebsocket {
-			server = &WSServer{Addr: Laddr}
+			server = &WSServer{Addr: laddr}
 		} else if UseHttp {
-			server = &HttpServer{Addr: Laddr}
+			server = &HttpServer{Addr: laddr}
 		} else {
-			server = &Socks5Server{Addr: Laddr}
+			server = &Socks5Server{Addr: laddr}
 		}
 		log.Fatal(server.ListenAndServe())
 		return
 	}
-	log.Fatal(listenAndServe(Laddr, cliHandle))
+	log.Fatal(listenAndServe(laddr, cliHandle))
 }
--- a/socks5.go
+++ b/socks5.go
@ -94,6 +94,7 @@ func (s *Socks5Server) ListenAndServe() error {
 }
 func serverSelectMethod(methods ...uint8) uint8 {
 	log.Println(methods)
 	m := gosocks5.MethodNoAuth
 	for _, method := range methods {
@ -102,6 +103,11 @@ func serverSelectMethod(methods ...uint8) uint8 {
 		}
 	}
 	// when user/pass is set for proxy auth, the NoAuth method is disabled
 	if len(Method) == 0 && m == gosocks5.MethodNoAuth && listenUrl.User != nil {
 		return gosocks5.MethodNoAcceptable
 	}
 	if len(Method) == 0 || Methods[m] == Method {
 		return m
 	}
@ -110,7 +116,19 @@ func serverSelectMethod(methods ...uint8) uint8 {
 }
 func serverMethodSelected(method uint8, conn net.Conn) (net.Conn, error) {
 	log.Println(method)
 	switch method {
 	case gosocks5.MethodUserPass:
 		var username, password string
 		if listenUrl != nil && listenUrl.User != nil {
 			username = listenUrl.User.Username()
 			password, _ = listenUrl.User.Password()
 		}
 		if err := serverSocksAuth(conn, username, password); err != nil {
 			return nil, err
 		}
 	case MethodTLS, MethodTLSAuth:
 		var cert tls.Certificate
 		var err error
@ -126,7 +144,11 @@ func serverMethodSelected(method uint8, conn net.Conn) (net.Conn, error) {
 		}
 		conn = tls.Server(conn, &tls.Config{Certificates: []tls.Certificate{cert}})
 		if method == MethodTLSAuth {
-			if err := svrTLSAuth(conn); err != nil {
+			// password is mandatory
 			if len(Password) == 0 {
 				return nil, ErrEmptyAuth
 			}
 			if err := serverSocksAuth(conn, "", Password); err != nil {
 				return nil, err
 			}
 		}
@ -144,32 +166,6 @@ func serverMethodSelected(method uint8, conn net.Conn) (net.Conn, error) {
 	return conn, nil
 }
 func svrTLSAuth(conn net.Conn) error {
 	if len(Password) == 0 {
 		return ErrEmptyPassword
 	}
 	req, err := gosocks5.ReadUserPassRequest(conn)
 	if err != nil {
 		return err
 	}
 	if req.Password != Password {
 		if err := gosocks5.NewUserPassResponse(
 			gosocks5.UserPassVer, gosocks5.Failure).Write(conn); err != nil {
 			return err
 		}
 		return gosocks5.ErrAuthFailure
 	}
 	if err := gosocks5.NewUserPassResponse(
 		gosocks5.UserPassVer, gosocks5.Succeeded).Write(conn); err != nil {
 		return err
 	}
 	return nil
 }
 func serveSocks5(conn net.Conn) {
 	defer conn.Close()
--- a/util.go
+++ b/util.go
@ -29,21 +29,22 @@ const (
 	MethodTLSAuth
 )
-var ErrEmptyPassword = errors.New("empty key")
+var ErrEmptyAuth = errors.New("empty auth")
 var Methods = map[uint8]string{
-	gosocks5.MethodNoAuth: "",            // 0x00
+	//gosocks5.MethodNoAuth:   "",            // 0x00
-	MethodTLS:             "tls",         // 0x80
+	gosocks5.MethodUserPass: "userpass",    // 0x02
-	MethodAES128:          "aes-128-cfb", // 0x81
+	MethodTLS:               "tls",         // 0x80
-	MethodAES192:          "aes-192-cfb", // 0x82
+	MethodAES128:            "aes-128-cfb", // 0x81
-	MethodAES256:          "aes-256-cfb", // 0x83
+	MethodAES192:            "aes-192-cfb", // 0x82
-	MethodDES:             "des-cfb",     // 0x84
+	MethodAES256:            "aes-256-cfb", // 0x83
-	MethodBF:              "bf-cfb",      // 0x85
+	MethodDES:               "des-cfb",     // 0x84
-	MethodCAST5:           "cast5-cfb",   // 0x86
+	MethodBF:                "bf-cfb",      // 0x85
-	MethodRC4MD5:          "rc4-md5",     // 8x87
+	MethodCAST5:             "cast5-cfb",   // 0x86
-	MethodRC4:             "rc4",         // 0x88
+	MethodRC4MD5:            "rc4-md5",     // 8x87
-	MethodTable:           "table",       // 0x89
+	MethodRC4:               "rc4",         // 0x88
-	MethodTLSAuth:         "tls-auth",    // 0x90
+	MethodTable:             "table",       // 0x89
 	MethodTLSAuth:           "tls-auth",    // 0x90
 }
 func parseURL(rawurl string) (*url.URL, error) {
@ -57,6 +58,15 @@ func parseURL(rawurl string) (*url.URL, error) {
 	return url.Parse(rawurl)
 }
 func parseUserPass(key string) (username string, password string) {
 	sep := ":"
 	i := strings.Index(key, sep)
 	if i < 0 {
 		return key, ""
 	}
 	return key[0:i], key[i+len(sep):]
 }
 func ToSocksAddr(addr net.Addr) *gosocks5.Addr {
 	host, port, _ := net.SplitHostPort(addr.String())
 	p, _ := strconv.Atoi(port)
@ -135,9 +145,12 @@ func connectSocks5Proxy(addr string) (conn net.Conn, err error) {
 	}
 	conf := &gosocks5.Config{
-		Methods:        []uint8{gosocks5.MethodNoAuth, gosocks5.MethodUserPass},
+		// Methods:        []uint8{gosocks5.MethodNoAuth, gosocks5.MethodUserPass},
 		MethodSelected: proxyMethodSelected,
 	}
 	if proxyURL.User != nil {
 		conf.Methods = []uint8{gosocks5.MethodUserPass}
 	}
 	c := gosocks5.ClientConn(conn, conf)
 	if err := c.Handleshake(); err != nil {
@ -178,30 +191,61 @@ func connectSocks5Proxy(addr string) (conn net.Conn, err error) {
 func proxyMethodSelected(method uint8, conn net.Conn) (net.Conn, error) {
 	switch method {
 	case gosocks5.MethodUserPass:
-		if proxyURL == nil || proxyURL.User == nil {
+		var user, pass string
-			return nil, gosocks5.ErrAuthFailure
+
 		if proxyURL != nil && proxyURL.User != nil {
 			user = proxyURL.User.Username()
 			pass, _ = proxyURL.User.Password()
 		}
-		pwd, _ := proxyURL.User.Password()
+		if err := clientSocksAuth(conn, user, pass); err != nil {
 		if err := gosocks5.NewUserPassRequest(gosocks5.UserPassVer,
 			proxyURL.User.Username(), pwd).Write(conn); err != nil {
 			return nil, err
 		}
 		resp, err := gosocks5.ReadUserPassResponse(conn)
 		if err != nil {
 			return nil, err
 		}
 		if resp.Status != gosocks5.Succeeded {
 			return nil, gosocks5.ErrAuthFailure
 		}
 	case gosocks5.MethodNoAcceptable:
 		return nil, gosocks5.ErrBadMethod
 		//case gosocks5.MethodNoAuth:
 	}
 	return conn, nil
 }
 func clientSocksAuth(conn net.Conn, username, password string) error {
 	if err := gosocks5.NewUserPassRequest(
 		gosocks5.UserPassVer, username, password).Write(conn); err != nil {
 		return err
 	}
 	res, err := gosocks5.ReadUserPassResponse(conn)
 	if err != nil {
 		return err
 	}
 	if res.Status != gosocks5.Succeeded {
 		return gosocks5.ErrAuthFailure
 	}
 	return nil
 }
 func serverSocksAuth(conn net.Conn, username, password string) error {
 	req, err := gosocks5.ReadUserPassRequest(conn)
 	if err != nil {
 		return err
 	}
 	if (len(username) > 0 && req.Username != username) ||
 		(len(password) > 0 && req.Password != password) {
 		if err := gosocks5.NewUserPassResponse(
 			gosocks5.UserPassVer, gosocks5.Failure).Write(conn); err != nil {
 			return err
 		}
 		return gosocks5.ErrAuthFailure
 	}
 	if err := gosocks5.NewUserPassResponse(
 		gosocks5.UserPassVer, gosocks5.Succeeded).Write(conn); err != nil {
 		return err
 	}
 	return nil
 }
 func setBasicAuth(r *http.Request) {
 	if proxyURL != nil && proxyURL.User != nil {
 		r.Header.Set("Proxy-Authorization",
--- a/version.go
+++ b/version.go
@ -5,7 +5,7 @@ import (
 )
 const (
-	Version = "1.6"
+	Version = "1.7"
 )
 func printVersion() {