From b6d333e7d5f19e143d393046c804b6935e502735 Mon Sep 17 00:00:00 2001 From: "rui.zheng" Date: Sat, 9 Jan 2016 11:32:12 +0800 Subject: [PATCH] if transport is not security (tls used), enable security socks5 --- conn.go | 19 ++++++++++++--- main.go | 5 ++-- socks.go | 26 +++++++++++---------- tls.go | 71 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ util.go | 67 +--------------------------------------------------- 5 files changed, 105 insertions(+), 83 deletions(-) create mode 100644 tls.go diff --git a/conn.go b/conn.go index c2a595e..2298c90 100644 --- a/conn.go +++ b/conn.go @@ -77,6 +77,7 @@ func handleConn(conn net.Conn, arg Args) { defer atomic.AddInt32(&connCounter, -1) defer conn.Close() + // server supported methods selector := &serverSelector{ methods: []uint8{ gosocks5.MethodNoAuth, @@ -84,7 +85,8 @@ func handleConn(conn net.Conn, arg Args) { MethodTLS, MethodTLSAuth, }, - arg: arg, + user: arg.User, + cert: arg.Cert, } switch arg.Protocol { @@ -242,13 +244,19 @@ func forward(conn net.Conn, arg Args) (net.Conn, error) { } glog.Infof("forward: %s/%s %s", proto, arg.Transport, arg.Addr) } + + var tlsUsed bool + switch arg.Transport { case "ws": // websocket connection conn, err = wsClient(conn, arg.Addr) if err != nil { return nil, err } + //case "wss": // websocket security + // tlsUsed = true case "tls": // tls connection + tlsUsed = true conn = tls.Client(conn, &tls.Config{InsecureSkipVerify: true}) case "tcp": fallthrough @@ -261,10 +269,15 @@ func forward(conn net.Conn, arg Args) (net.Conn, error) { methods: []uint8{ gosocks5.MethodNoAuth, gosocks5.MethodUserPass, - MethodTLS, + //MethodTLS, }, - arg: arg, + user: arg.User, } + + if !tlsUsed { // if transport is not security, enable security socks5 + selector.methods = append(selector.methods, MethodTLS) + } + c := gosocks5.ClientConn(conn, selector) if err := c.Handleshake(); err != nil { return nil, err diff --git a/main.go b/main.go index c5188d3..50919ad 100644 --- a/main.go +++ b/main.go @@ -5,6 +5,7 @@ import ( "flag" "fmt" "github.com/golang/glog" + "os" "sync" ) @@ -17,7 +18,7 @@ const ( ) const ( - Version = "2.0-20151106" + Version = "2.0-rc2" ) var ( @@ -43,7 +44,7 @@ func main() { return } if pv { - fmt.Println("gost", Version) + fmt.Fprintln(os.Stderr, "gost", Version) return } diff --git a/socks.go b/socks.go index 759ed5a..e29ff85 100644 --- a/socks.go +++ b/socks.go @@ -8,6 +8,7 @@ import ( "github.com/golang/glog" "io" "net" + "net/url" "strconv" "time" ) @@ -19,7 +20,7 @@ const ( type clientSelector struct { methods []uint8 - arg Args + user *url.Userinfo } func (selector *clientSelector) Methods() []uint8 { @@ -41,9 +42,9 @@ func (selector *clientSelector) OnSelected(method uint8, conn net.Conn) (net.Con } var username, password string - if selector.arg.User != nil { - username = selector.arg.User.Username() - password, _ = selector.arg.User.Password() + if selector.user != nil { + username = selector.user.Username() + password, _ = selector.user.Password() } req := gosocks5.NewUserPassRequest(gosocks5.UserPassVer, username, password) @@ -72,7 +73,8 @@ func (selector *clientSelector) OnSelected(method uint8, conn net.Conn) (net.Con type serverSelector struct { methods []uint8 - arg Args + user *url.Userinfo + cert tls.Certificate } func (selector *serverSelector) Methods() []uint8 { @@ -80,7 +82,7 @@ func (selector *serverSelector) Methods() []uint8 { } func (selector *serverSelector) Select(methods ...uint8) (method uint8) { - glog.V(LDEBUG).Infof("%d %d % d", gosocks5.Ver5, len(methods), methods) + glog.V(LDEBUG).Infof("%d %d %v", gosocks5.Ver5, len(methods), methods) method = gosocks5.MethodNoAuth for _, m := range methods { @@ -91,7 +93,7 @@ func (selector *serverSelector) Select(methods ...uint8) (method uint8) { } // when user/pass is set, auth is mandatory - if selector.arg.User != nil { + if selector.user != nil { if method == gosocks5.MethodNoAuth { method = gosocks5.MethodUserPass } @@ -108,11 +110,11 @@ func (selector *serverSelector) OnSelected(method uint8, conn net.Conn) (net.Con switch method { case MethodTLS: - conn = tls.Server(conn, &tls.Config{Certificates: []tls.Certificate{selector.arg.Cert}}) + conn = tls.Server(conn, &tls.Config{Certificates: []tls.Certificate{selector.cert}}) case gosocks5.MethodUserPass, MethodTLSAuth: if method == MethodTLSAuth { - conn = tls.Server(conn, &tls.Config{Certificates: []tls.Certificate{selector.arg.Cert}}) + conn = tls.Server(conn, &tls.Config{Certificates: []tls.Certificate{selector.cert}}) } req, err := gosocks5.ReadUserPassRequest(conn) @@ -123,9 +125,9 @@ func (selector *serverSelector) OnSelected(method uint8, conn net.Conn) (net.Con glog.V(LDEBUG).Infoln(req.String()) var username, password string - if selector.arg.User != nil { - username = selector.arg.User.Username() - password, _ = selector.arg.User.Password() + if selector.user != nil { + username = selector.user.Username() + password, _ = selector.user.Password() } if (username != "" && req.Username != username) || (password != "" && req.Password != password) { diff --git a/tls.go b/tls.go new file mode 100644 index 0000000..9c7ffc2 --- /dev/null +++ b/tls.go @@ -0,0 +1,71 @@ +package main + +import ( + "crypto/tls" + "github.com/golang/glog" +) + +const ( + rawCert = `-----BEGIN CERTIFICATE----- +MIIC5jCCAdCgAwIBAgIBADALBgkqhkiG9w0BAQUwEjEQMA4GA1UEChMHQWNtZSBD +bzAeFw0xNDAzMTcwNjIwNTFaFw0xNTAzMTcwNjIwNTFaMBIxEDAOBgNVBAoTB0Fj +bWUgQ28wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDccNO1xmd4lWSf +d/0/QS3E93cYIWHw831i/IKxigdRD/XMZonLdEHywW6lOiXazaP8e6CqPGSmnl0x +5k/3dvGCMj2JCVxM6+z7NpL+AiwvXmvkj/TOciCgwqssCwYS2CiVwjfazRjx1ZUJ +VDC5qiyRsfktQ2fVHrpnJGVSRagmiQgwGWBilVG9B8QvRtpQKN/GQGq17oIQm8aK +kOdPt93g93ojMIg7YJpgDgOirvVz/hDn7YD4ryrtPos9CMafFkJprymKpRHyvz7P +8a3+OkuPjFjPnwOHQ5u1U3+8vC44vfb1ExWzDLoT8Xp8Gndx39k0f7MVOol3GnYu +MN/dvNUdAgMBAAGjSzBJMA4GA1UdDwEB/wQEAwIAoDATBgNVHSUEDDAKBggrBgEF +BQcDATAMBgNVHRMBAf8EAjAAMBQGA1UdEQQNMAuCCWxvY2FsaG9zdDALBgkqhkiG +9w0BAQUDggEBAIG8CJqvTIgJnNOK+i5/IUc/3yF/mSCWuG8qP+Fmo2t6T0PVOtc0 +8wiWH5iWtCAhjn0MRY9l/hIjWm6gUZGHCGuEgsOPpJDYGoNLjH9Xwokm4y3LFNRK +UBrrrDbKRNibApBHCapPf6gC5sXcjOwx7P2/kiHDgY7YH47jfcRhtAPNsM4gjsEO +RmwENY+hRUFHIRfQTyalqND+x6PWhRo3K6hpHs4DQEYPq4P2kFPqUqSBymH+Ny5/ +BcQ3wdMNmC6Bm/oiL1QV0M+/InOsAgQk/EDd0kmoU1ZT2lYHQduGmP099bOlHNpS +uqO3vXF3q8SPPr/A9TqSs7BKkBQbe0+cdsA= +-----END CERTIFICATE-----` + + rawKey = `-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEA3HDTtcZneJVkn3f9P0EtxPd3GCFh8PN9YvyCsYoHUQ/1zGaJ +y3RB8sFupTol2s2j/Hugqjxkpp5dMeZP93bxgjI9iQlcTOvs+zaS/gIsL15r5I/0 +znIgoMKrLAsGEtgolcI32s0Y8dWVCVQwuaoskbH5LUNn1R66ZyRlUkWoJokIMBlg +YpVRvQfEL0baUCjfxkBqte6CEJvGipDnT7fd4Pd6IzCIO2CaYA4Doq71c/4Q5+2A ++K8q7T6LPQjGnxZCaa8piqUR8r8+z/Gt/jpLj4xYz58Dh0ObtVN/vLwuOL329RMV +swy6E/F6fBp3cd/ZNH+zFTqJdxp2LjDf3bzVHQIDAQABAoIBAHal26147nQ+pHwY +jxwers3XDCjWvup7g79lfcqlKi79UiUEA6KYHm7UogMYewt7p4nb2KwH+XycvDiB +aAUf5flXpTs+6IkWauUDiLZi4PlV7uiEexUq5FjirlL0U/6MjbudX4bK4WQ4uxDc +WaV07Kw2iJFOOHLDKT0en9JaX5jtJNc4ZnE9efFoQ5jfypPWtRw65G1rULEg6nvc +GDh+1ce+4foCkpLRC9c24xAwJONZG6x3UqrSS9qfAsb73nWRQrTfUcO3nhoN8VvL +kL9skn1+S06NyUN0KoEtyRBp+RcpXSsBWAo6qZmo/WqhB/gjzWrxVwn20+yJSm35 +ZsMc6QECgYEA8GS+Mp9xfB2szWHz6YTOO1Uu4lHM1ccZMwS1G+dL0KO3uGAiPdvp +woVot6v6w88t7onXsLo5pgz7SYug0CpkF3K/MRd1Ar4lH7PK7IBQ6rFr9ppVxDbx +AEWRswUoPbKCr7W6HU8LbQHDavsDlEIwc6+DiwnL4BzlKjb7RpgQEz0CgYEA6sB5 +uHvx3Y5FDcGk1n73leQSAcq14l3ZLNpjrs8msoREDil/j5WmuSN58/7PGMiMgHEi +1vLm3H796JmvGr9OBvspOjHyk07ui2/We/j9Hoxm1VWhyi8HkLNDj70HKalTTFMz +RHO4O+0xCva+h9mKZrRMVktXr2jjdFn/0MYIZ2ECgYAIIsC1IeRLWQ3CHbCNlKsO +IwHlMvOFwKk/qsceXKOaOhA7szU1dr3gkXdL0Aw6mEZrrkqYdpUA46uVf54/rU+Z +445I8QxKvXiwK/uQKX+TkdGflPWWIG3jnnch4ejMvb/ihnn4B/bRB6A/fKNQXzUY +lTYUfI5j1VaEKTwz1W2l2QKBgByFCcSp+jZqhGUpc3dDsZyaOr3Q/Mvlju7uEVI5 +hIAHpaT60a6GBd1UPAqymEJwivFHzW3D0NxU6VAK68UaHMaoWNfjHY9b9YsnKS2i +kE3XzN56Ks+/avHfdYPO+UHMenw5V28nh+hv5pdoZrlmanQTz3pkaOC8o3WNQZEB +nh/BAoGBAMY5z2f1pmMhrvtPDSlEVjgjELbaInxFaxPLR4Pdyzn83gtIIU14+R8X +2LPs6PPwrNjWnIgrUSVXncIFL3pa45B+Mx1pYCpOAB1+nCZjIBQmpeo4Y0dwA/XH +85EthKPvoszm+OPbyI16OcePV5ocX7lupRYuAo0pek7bomhmHWHz +-----END RSA PRIVATE KEY-----` +) + +func init() { + var err error + if tlsCert, err = tls.LoadX509KeyPair("cert.pem", "key.pem"); err != nil { + glog.V(LWARNING).Infoln(err) + + tlsCert, err = tls.X509KeyPair([]byte(rawCert), []byte(rawKey)) + if err != nil { + glog.Infoln(err) + } + } +} + +var ( + tlsCert tls.Certificate +) diff --git a/util.go b/util.go index a531254..bbf2e0d 100644 --- a/util.go +++ b/util.go @@ -10,71 +10,6 @@ import ( "strings" ) -const ( - rawCert = `-----BEGIN CERTIFICATE----- -MIIC5jCCAdCgAwIBAgIBADALBgkqhkiG9w0BAQUwEjEQMA4GA1UEChMHQWNtZSBD -bzAeFw0xNDAzMTcwNjIwNTFaFw0xNTAzMTcwNjIwNTFaMBIxEDAOBgNVBAoTB0Fj -bWUgQ28wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDccNO1xmd4lWSf -d/0/QS3E93cYIWHw831i/IKxigdRD/XMZonLdEHywW6lOiXazaP8e6CqPGSmnl0x -5k/3dvGCMj2JCVxM6+z7NpL+AiwvXmvkj/TOciCgwqssCwYS2CiVwjfazRjx1ZUJ -VDC5qiyRsfktQ2fVHrpnJGVSRagmiQgwGWBilVG9B8QvRtpQKN/GQGq17oIQm8aK -kOdPt93g93ojMIg7YJpgDgOirvVz/hDn7YD4ryrtPos9CMafFkJprymKpRHyvz7P -8a3+OkuPjFjPnwOHQ5u1U3+8vC44vfb1ExWzDLoT8Xp8Gndx39k0f7MVOol3GnYu -MN/dvNUdAgMBAAGjSzBJMA4GA1UdDwEB/wQEAwIAoDATBgNVHSUEDDAKBggrBgEF -BQcDATAMBgNVHRMBAf8EAjAAMBQGA1UdEQQNMAuCCWxvY2FsaG9zdDALBgkqhkiG -9w0BAQUDggEBAIG8CJqvTIgJnNOK+i5/IUc/3yF/mSCWuG8qP+Fmo2t6T0PVOtc0 -8wiWH5iWtCAhjn0MRY9l/hIjWm6gUZGHCGuEgsOPpJDYGoNLjH9Xwokm4y3LFNRK -UBrrrDbKRNibApBHCapPf6gC5sXcjOwx7P2/kiHDgY7YH47jfcRhtAPNsM4gjsEO -RmwENY+hRUFHIRfQTyalqND+x6PWhRo3K6hpHs4DQEYPq4P2kFPqUqSBymH+Ny5/ -BcQ3wdMNmC6Bm/oiL1QV0M+/InOsAgQk/EDd0kmoU1ZT2lYHQduGmP099bOlHNpS -uqO3vXF3q8SPPr/A9TqSs7BKkBQbe0+cdsA= ------END CERTIFICATE-----` - - rawKey = `-----BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEA3HDTtcZneJVkn3f9P0EtxPd3GCFh8PN9YvyCsYoHUQ/1zGaJ -y3RB8sFupTol2s2j/Hugqjxkpp5dMeZP93bxgjI9iQlcTOvs+zaS/gIsL15r5I/0 -znIgoMKrLAsGEtgolcI32s0Y8dWVCVQwuaoskbH5LUNn1R66ZyRlUkWoJokIMBlg -YpVRvQfEL0baUCjfxkBqte6CEJvGipDnT7fd4Pd6IzCIO2CaYA4Doq71c/4Q5+2A -+K8q7T6LPQjGnxZCaa8piqUR8r8+z/Gt/jpLj4xYz58Dh0ObtVN/vLwuOL329RMV -swy6E/F6fBp3cd/ZNH+zFTqJdxp2LjDf3bzVHQIDAQABAoIBAHal26147nQ+pHwY -jxwers3XDCjWvup7g79lfcqlKi79UiUEA6KYHm7UogMYewt7p4nb2KwH+XycvDiB -aAUf5flXpTs+6IkWauUDiLZi4PlV7uiEexUq5FjirlL0U/6MjbudX4bK4WQ4uxDc -WaV07Kw2iJFOOHLDKT0en9JaX5jtJNc4ZnE9efFoQ5jfypPWtRw65G1rULEg6nvc -GDh+1ce+4foCkpLRC9c24xAwJONZG6x3UqrSS9qfAsb73nWRQrTfUcO3nhoN8VvL -kL9skn1+S06NyUN0KoEtyRBp+RcpXSsBWAo6qZmo/WqhB/gjzWrxVwn20+yJSm35 -ZsMc6QECgYEA8GS+Mp9xfB2szWHz6YTOO1Uu4lHM1ccZMwS1G+dL0KO3uGAiPdvp -woVot6v6w88t7onXsLo5pgz7SYug0CpkF3K/MRd1Ar4lH7PK7IBQ6rFr9ppVxDbx -AEWRswUoPbKCr7W6HU8LbQHDavsDlEIwc6+DiwnL4BzlKjb7RpgQEz0CgYEA6sB5 -uHvx3Y5FDcGk1n73leQSAcq14l3ZLNpjrs8msoREDil/j5WmuSN58/7PGMiMgHEi -1vLm3H796JmvGr9OBvspOjHyk07ui2/We/j9Hoxm1VWhyi8HkLNDj70HKalTTFMz -RHO4O+0xCva+h9mKZrRMVktXr2jjdFn/0MYIZ2ECgYAIIsC1IeRLWQ3CHbCNlKsO -IwHlMvOFwKk/qsceXKOaOhA7szU1dr3gkXdL0Aw6mEZrrkqYdpUA46uVf54/rU+Z -445I8QxKvXiwK/uQKX+TkdGflPWWIG3jnnch4ejMvb/ihnn4B/bRB6A/fKNQXzUY -lTYUfI5j1VaEKTwz1W2l2QKBgByFCcSp+jZqhGUpc3dDsZyaOr3Q/Mvlju7uEVI5 -hIAHpaT60a6GBd1UPAqymEJwivFHzW3D0NxU6VAK68UaHMaoWNfjHY9b9YsnKS2i -kE3XzN56Ks+/avHfdYPO+UHMenw5V28nh+hv5pdoZrlmanQTz3pkaOC8o3WNQZEB -nh/BAoGBAMY5z2f1pmMhrvtPDSlEVjgjELbaInxFaxPLR4Pdyzn83gtIIU14+R8X -2LPs6PPwrNjWnIgrUSVXncIFL3pa45B+Mx1pYCpOAB1+nCZjIBQmpeo4Y0dwA/XH -85EthKPvoszm+OPbyI16OcePV5ocX7lupRYuAo0pek7bomhmHWHz ------END RSA PRIVATE KEY-----` -) - -func init() { - var err error - if cert, err = tls.LoadX509KeyPair("cert.pem", "key.pem"); err != nil { - glog.V(LWARNING).Infoln(err) - - cert, err = tls.X509KeyPair([]byte(rawCert), []byte(rawKey)) - if err != nil { - glog.Infoln(err) - } - } -} - -var ( - cert tls.Certificate -) - type strSlice []string func (ss *strSlice) String() string { @@ -118,7 +53,7 @@ func parseArgs(ss []string) (args []Args) { arg := Args{ Addr: u.Host, User: u.User, - Cert: cert, + Cert: tlsCert, } schemes := strings.Split(u.Scheme, "+")