if transport is not security (tls used), enable security socks5

b6d333e7 · rui.zheng · b5f499e5 · b6d333e7 · b6d333e7 · b6d333e7
Commit b6d333e7 authored Jan 09, 2016 by rui.zheng
Hide whitespace changes
Inline Side-by-side

Showing with 105 additions and 83 deletions

conn.go conn.go +16 -3

main.go main.go +3 -2

socks.go socks.go +14 -12

tls.go tls.go +71 -0

util.go util.go +1 -66

No files found.
--- a/conn.go
+++ b/conn.go
@@ -77,6 +77,7 @@ func handleConn(conn net.Conn, arg Args) {
 	defer atomic.AddInt32(&connCounter, -1)
 	defer conn.Close()

+	// server supported methods
 	selector := &serverSelector{
 		methods: []uint8{
 			gosocks5.MethodNoAuth,
@@ -84,7 +85,8 @@ func handleConn(conn net.Conn, arg Args) {
 			MethodTLS,
 			MethodTLSAuth,
 		},
-		arg: arg,
+		user: arg.User,
+		cert: arg.Cert,
 	}

 	switch arg.Protocol {
@@ -242,13 +244,19 @@ func forward(conn net.Conn, arg Args) (net.Conn, error) {
 		}
 		glog.Infof("forward: %s/%s %s", proto, arg.Transport, arg.Addr)
 	}
+
+	var tlsUsed bool
+
 	switch arg.Transport {
 	case "ws": // websocket connection
 		conn, err = wsClient(conn, arg.Addr)
 		if err != nil {
 			return nil, err
 		}
+	//case "wss": // websocket security
+	//	tlsUsed = true
 	case "tls": // tls connection
+		tlsUsed = true
 		conn = tls.Client(conn, &tls.Config{InsecureSkipVerify: true})
 	case "tcp":
 		fallthrough
@@ -261,10 +269,15 @@ func forward(conn net.Conn, arg Args) (net.Conn, error) {
 			methods: []uint8{
 				gosocks5.MethodNoAuth,
 				gosocks5.MethodUserPass,
-				MethodTLS,
+				//MethodTLS,
 			},
-			arg: arg,
+			user: arg.User,
 		}
+
+		if !tlsUsed { // if transport is not security, enable security socks5
+			selector.methods = append(selector.methods, MethodTLS)
+		}
+
 		c := gosocks5.ClientConn(conn, selector)
 		if err := c.Handleshake(); err != nil {
 			return nil, err

--- a/main.go
+++ b/main.go
@@ -5,6 +5,7 @@ import (
 	"flag"
 	"fmt"
 	"github.com/golang/glog"
+	"os"
 	"sync"
 )

@@ -17,7 +18,7 @@ const (
 )

 const (
-	Version = "2.0-20151106"
+	Version = "2.0-rc2"
 )

 var (
@@ -43,7 +44,7 @@ func main() {
 		return
 	}
 	if pv {
-		fmt.Println("gost", Version)
+		fmt.Fprintln(os.Stderr, "gost", Version)
 		return
 	}


--- a/socks.go
+++ b/socks.go
@@ -8,6 +8,7 @@ import (
 	"github.com/golang/glog"
 	"io"
 	"net"
+	"net/url"
 	"strconv"
 	"time"
 )
@@ -19,7 +20,7 @@ const (

 type clientSelector struct {
 	methods []uint8
-	arg     Args
+	user    *url.Userinfo
 }

 func (selector *clientSelector) Methods() []uint8 {
@@ -41,9 +42,9 @@ func (selector *clientSelector) OnSelected(method uint8, conn net.Conn) (net.Con
 		}

 		var username, password string
-		if selector.arg.User != nil {
-			username = selector.arg.User.Username()
-			password, _ = selector.arg.User.Password()
+		if selector.user != nil {
+			username = selector.user.Username()
+			password, _ = selector.user.Password()
 		}

 		req := gosocks5.NewUserPassRequest(gosocks5.UserPassVer, username, password)
@@ -72,7 +73,8 @@ func (selector *clientSelector) OnSelected(method uint8, conn net.Conn) (net.Con

 type serverSelector struct {
 	methods []uint8
-	arg     Args
+	user    *url.Userinfo
+	cert    tls.Certificate
 }

 func (selector *serverSelector) Methods() []uint8 {
@@ -80,7 +82,7 @@ func (selector *serverSelector) Methods() []uint8 {
 }

 func (selector *serverSelector) Select(methods ...uint8) (method uint8) {
-	glog.V(LDEBUG).Infof("%d %d % d", gosocks5.Ver5, len(methods), methods)
+	glog.V(LDEBUG).Infof("%d %d %v", gosocks5.Ver5, len(methods), methods)

 	method = gosocks5.MethodNoAuth
 	for _, m := range methods {
@@ -91,7 +93,7 @@ func (selector *serverSelector) Select(methods ...uint8) (method uint8) {
 	}

 	// when user/pass is set, auth is mandatory
-	if selector.arg.User != nil {
+	if selector.user != nil {
 		if method == gosocks5.MethodNoAuth {
 			method = gosocks5.MethodUserPass
 		}
@@ -108,11 +110,11 @@ func (selector *serverSelector) OnSelected(method uint8, conn net.Conn) (net.Con

 	switch method {
 	case MethodTLS:
-		conn = tls.Server(conn, &tls.Config{Certificates: []tls.Certificate{selector.arg.Cert}})
+		conn = tls.Server(conn, &tls.Config{Certificates: []tls.Certificate{selector.cert}})

 	case gosocks5.MethodUserPass, MethodTLSAuth:
 		if method == MethodTLSAuth {
-			conn = tls.Server(conn, &tls.Config{Certificates: []tls.Certificate{selector.arg.Cert}})
+			conn = tls.Server(conn, &tls.Config{Certificates: []tls.Certificate{selector.cert}})
 		}

 		req, err := gosocks5.ReadUserPassRequest(conn)
@@ -123,9 +125,9 @@ func (selector *serverSelector) OnSelected(method uint8, conn net.Conn) (net.Con
 		glog.V(LDEBUG).Infoln(req.String())

 		var username, password string
-		if selector.arg.User != nil {
-			username = selector.arg.User.Username()
-			password, _ = selector.arg.User.Password()
+		if selector.user != nil {
+			username = selector.user.Username()
+			password, _ = selector.user.Password()
 		}

 		if (username != "" && req.Username != username) || (password != "" && req.Password != password) {

--- a/tls.go
+++ b/tls.go
+package main
+
+import (
+	"crypto/tls"
+	"github.com/golang/glog"
+)
+
+const (
+	rawCert = `-----BEGIN CERTIFICATE-----
+MIIC5jCCAdCgAwIBAgIBADALBgkqhkiG9w0BAQUwEjEQMA4GA1UEChMHQWNtZSBD
+bzAeFw0xNDAzMTcwNjIwNTFaFw0xNTAzMTcwNjIwNTFaMBIxEDAOBgNVBAoTB0Fj
+bWUgQ28wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDccNO1xmd4lWSf
+d/0/QS3E93cYIWHw831i/IKxigdRD/XMZonLdEHywW6lOiXazaP8e6CqPGSmnl0x
+5k/3dvGCMj2JCVxM6+z7NpL+AiwvXmvkj/TOciCgwqssCwYS2CiVwjfazRjx1ZUJ
+VDC5qiyRsfktQ2fVHrpnJGVSRagmiQgwGWBilVG9B8QvRtpQKN/GQGq17oIQm8aK
+kOdPt93g93ojMIg7YJpgDgOirvVz/hDn7YD4ryrtPos9CMafFkJprymKpRHyvz7P
+8a3+OkuPjFjPnwOHQ5u1U3+8vC44vfb1ExWzDLoT8Xp8Gndx39k0f7MVOol3GnYu
+MN/dvNUdAgMBAAGjSzBJMA4GA1UdDwEB/wQEAwIAoDATBgNVHSUEDDAKBggrBgEF
+BQcDATAMBgNVHRMBAf8EAjAAMBQGA1UdEQQNMAuCCWxvY2FsaG9zdDALBgkqhkiG
+9w0BAQUDggEBAIG8CJqvTIgJnNOK+i5/IUc/3yF/mSCWuG8qP+Fmo2t6T0PVOtc0
+8wiWH5iWtCAhjn0MRY9l/hIjWm6gUZGHCGuEgsOPpJDYGoNLjH9Xwokm4y3LFNRK
+UBrrrDbKRNibApBHCapPf6gC5sXcjOwx7P2/kiHDgY7YH47jfcRhtAPNsM4gjsEO
+RmwENY+hRUFHIRfQTyalqND+x6PWhRo3K6hpHs4DQEYPq4P2kFPqUqSBymH+Ny5/
+BcQ3wdMNmC6Bm/oiL1QV0M+/InOsAgQk/EDd0kmoU1ZT2lYHQduGmP099bOlHNpS
+uqO3vXF3q8SPPr/A9TqSs7BKkBQbe0+cdsA=
+-----END CERTIFICATE-----`
+
+	rawKey = `-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEA3HDTtcZneJVkn3f9P0EtxPd3GCFh8PN9YvyCsYoHUQ/1zGaJ
+y3RB8sFupTol2s2j/Hugqjxkpp5dMeZP93bxgjI9iQlcTOvs+zaS/gIsL15r5I/0
+znIgoMKrLAsGEtgolcI32s0Y8dWVCVQwuaoskbH5LUNn1R66ZyRlUkWoJokIMBlg
+YpVRvQfEL0baUCjfxkBqte6CEJvGipDnT7fd4Pd6IzCIO2CaYA4Doq71c/4Q5+2A
+K8q7T6LPQjGnxZCaa8piqUR8r8+z/Gt/jpLj4xYz58Dh0ObtVN/vLwuOL329RMV
+swy6E/F6fBp3cd/ZNH+zFTqJdxp2LjDf3bzVHQIDAQABAoIBAHal26147nQ+pHwY
+jxwers3XDCjWvup7g79lfcqlKi79UiUEA6KYHm7UogMYewt7p4nb2KwH+XycvDiB
+aAUf5flXpTs+6IkWauUDiLZi4PlV7uiEexUq5FjirlL0U/6MjbudX4bK4WQ4uxDc
+WaV07Kw2iJFOOHLDKT0en9JaX5jtJNc4ZnE9efFoQ5jfypPWtRw65G1rULEg6nvc
+GDh+1ce+4foCkpLRC9c24xAwJONZG6x3UqrSS9qfAsb73nWRQrTfUcO3nhoN8VvL
+kL9skn1+S06NyUN0KoEtyRBp+RcpXSsBWAo6qZmo/WqhB/gjzWrxVwn20+yJSm35
+ZsMc6QECgYEA8GS+Mp9xfB2szWHz6YTOO1Uu4lHM1ccZMwS1G+dL0KO3uGAiPdvp
+woVot6v6w88t7onXsLo5pgz7SYug0CpkF3K/MRd1Ar4lH7PK7IBQ6rFr9ppVxDbx
+AEWRswUoPbKCr7W6HU8LbQHDavsDlEIwc6+DiwnL4BzlKjb7RpgQEz0CgYEA6sB5
+uHvx3Y5FDcGk1n73leQSAcq14l3ZLNpjrs8msoREDil/j5WmuSN58/7PGMiMgHEi
+1vLm3H796JmvGr9OBvspOjHyk07ui2/We/j9Hoxm1VWhyi8HkLNDj70HKalTTFMz
+RHO4O+0xCva+h9mKZrRMVktXr2jjdFn/0MYIZ2ECgYAIIsC1IeRLWQ3CHbCNlKsO
+IwHlMvOFwKk/qsceXKOaOhA7szU1dr3gkXdL0Aw6mEZrrkqYdpUA46uVf54/rU+Z
+445I8QxKvXiwK/uQKX+TkdGflPWWIG3jnnch4ejMvb/ihnn4B/bRB6A/fKNQXzUY
+lTYUfI5j1VaEKTwz1W2l2QKBgByFCcSp+jZqhGUpc3dDsZyaOr3Q/Mvlju7uEVI5
+hIAHpaT60a6GBd1UPAqymEJwivFHzW3D0NxU6VAK68UaHMaoWNfjHY9b9YsnKS2i
+kE3XzN56Ks+/avHfdYPO+UHMenw5V28nh+hv5pdoZrlmanQTz3pkaOC8o3WNQZEB
+nh/BAoGBAMY5z2f1pmMhrvtPDSlEVjgjELbaInxFaxPLR4Pdyzn83gtIIU14+R8X
+2LPs6PPwrNjWnIgrUSVXncIFL3pa45B+Mx1pYCpOAB1+nCZjIBQmpeo4Y0dwA/XH
+85EthKPvoszm+OPbyI16OcePV5ocX7lupRYuAo0pek7bomhmHWHz
+-----END RSA PRIVATE KEY-----`
+)
+
+func init() {
+	var err error
+	if tlsCert, err = tls.LoadX509KeyPair("cert.pem", "key.pem"); err != nil {
+		glog.V(LWARNING).Infoln(err)
+
+		tlsCert, err = tls.X509KeyPair([]byte(rawCert), []byte(rawKey))
+		if err != nil {
+			glog.Infoln(err)
+		}
+	}
+}
+
+var (
+	tlsCert tls.Certificate
+)
--- a/util.go
+++ b/util.go
@@ -10,71 +10,6 @@ import (
 	"strings"
 )

-const (
-	rawCert = `-----BEGIN CERTIFICATE-----
-MIIC5jCCAdCgAwIBAgIBADALBgkqhkiG9w0BAQUwEjEQMA4GA1UEChMHQWNtZSBD
-bzAeFw0xNDAzMTcwNjIwNTFaFw0xNTAzMTcwNjIwNTFaMBIxEDAOBgNVBAoTB0Fj
-bWUgQ28wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDccNO1xmd4lWSf
-d/0/QS3E93cYIWHw831i/IKxigdRD/XMZonLdEHywW6lOiXazaP8e6CqPGSmnl0x
-5k/3dvGCMj2JCVxM6+z7NpL+AiwvXmvkj/TOciCgwqssCwYS2CiVwjfazRjx1ZUJ
-VDC5qiyRsfktQ2fVHrpnJGVSRagmiQgwGWBilVG9B8QvRtpQKN/GQGq17oIQm8aK
-kOdPt93g93ojMIg7YJpgDgOirvVz/hDn7YD4ryrtPos9CMafFkJprymKpRHyvz7P
-8a3+OkuPjFjPnwOHQ5u1U3+8vC44vfb1ExWzDLoT8Xp8Gndx39k0f7MVOol3GnYu
-MN/dvNUdAgMBAAGjSzBJMA4GA1UdDwEB/wQEAwIAoDATBgNVHSUEDDAKBggrBgEF
-BQcDATAMBgNVHRMBAf8EAjAAMBQGA1UdEQQNMAuCCWxvY2FsaG9zdDALBgkqhkiG
-9w0BAQUDggEBAIG8CJqvTIgJnNOK+i5/IUc/3yF/mSCWuG8qP+Fmo2t6T0PVOtc0
-8wiWH5iWtCAhjn0MRY9l/hIjWm6gUZGHCGuEgsOPpJDYGoNLjH9Xwokm4y3LFNRK
-UBrrrDbKRNibApBHCapPf6gC5sXcjOwx7P2/kiHDgY7YH47jfcRhtAPNsM4gjsEO
-RmwENY+hRUFHIRfQTyalqND+x6PWhRo3K6hpHs4DQEYPq4P2kFPqUqSBymH+Ny5/
-BcQ3wdMNmC6Bm/oiL1QV0M+/InOsAgQk/EDd0kmoU1ZT2lYHQduGmP099bOlHNpS
-uqO3vXF3q8SPPr/A9TqSs7BKkBQbe0+cdsA=
-----END CERTIFICATE-----`
-
-	rawKey = `-----BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEA3HDTtcZneJVkn3f9P0EtxPd3GCFh8PN9YvyCsYoHUQ/1zGaJ
-y3RB8sFupTol2s2j/Hugqjxkpp5dMeZP93bxgjI9iQlcTOvs+zaS/gIsL15r5I/0
-znIgoMKrLAsGEtgolcI32s0Y8dWVCVQwuaoskbH5LUNn1R66ZyRlUkWoJokIMBlg
-YpVRvQfEL0baUCjfxkBqte6CEJvGipDnT7fd4Pd6IzCIO2CaYA4Doq71c/4Q5+2A
-+K8q7T6LPQjGnxZCaa8piqUR8r8+z/Gt/jpLj4xYz58Dh0ObtVN/vLwuOL329RMV
-swy6E/F6fBp3cd/ZNH+zFTqJdxp2LjDf3bzVHQIDAQABAoIBAHal26147nQ+pHwY
-jxwers3XDCjWvup7g79lfcqlKi79UiUEA6KYHm7UogMYewt7p4nb2KwH+XycvDiB
-aAUf5flXpTs+6IkWauUDiLZi4PlV7uiEexUq5FjirlL0U/6MjbudX4bK4WQ4uxDc
-WaV07Kw2iJFOOHLDKT0en9JaX5jtJNc4ZnE9efFoQ5jfypPWtRw65G1rULEg6nvc
-GDh+1ce+4foCkpLRC9c24xAwJONZG6x3UqrSS9qfAsb73nWRQrTfUcO3nhoN8VvL
-kL9skn1+S06NyUN0KoEtyRBp+RcpXSsBWAo6qZmo/WqhB/gjzWrxVwn20+yJSm35
-ZsMc6QECgYEA8GS+Mp9xfB2szWHz6YTOO1Uu4lHM1ccZMwS1G+dL0KO3uGAiPdvp
-woVot6v6w88t7onXsLo5pgz7SYug0CpkF3K/MRd1Ar4lH7PK7IBQ6rFr9ppVxDbx
-AEWRswUoPbKCr7W6HU8LbQHDavsDlEIwc6+DiwnL4BzlKjb7RpgQEz0CgYEA6sB5
-uHvx3Y5FDcGk1n73leQSAcq14l3ZLNpjrs8msoREDil/j5WmuSN58/7PGMiMgHEi
-1vLm3H796JmvGr9OBvspOjHyk07ui2/We/j9Hoxm1VWhyi8HkLNDj70HKalTTFMz
-RHO4O+0xCva+h9mKZrRMVktXr2jjdFn/0MYIZ2ECgYAIIsC1IeRLWQ3CHbCNlKsO
-IwHlMvOFwKk/qsceXKOaOhA7szU1dr3gkXdL0Aw6mEZrrkqYdpUA46uVf54/rU+Z
-445I8QxKvXiwK/uQKX+TkdGflPWWIG3jnnch4ejMvb/ihnn4B/bRB6A/fKNQXzUY
-lTYUfI5j1VaEKTwz1W2l2QKBgByFCcSp+jZqhGUpc3dDsZyaOr3Q/Mvlju7uEVI5
-hIAHpaT60a6GBd1UPAqymEJwivFHzW3D0NxU6VAK68UaHMaoWNfjHY9b9YsnKS2i
-kE3XzN56Ks+/avHfdYPO+UHMenw5V28nh+hv5pdoZrlmanQTz3pkaOC8o3WNQZEB
-nh/BAoGBAMY5z2f1pmMhrvtPDSlEVjgjELbaInxFaxPLR4Pdyzn83gtIIU14+R8X
-2LPs6PPwrNjWnIgrUSVXncIFL3pa45B+Mx1pYCpOAB1+nCZjIBQmpeo4Y0dwA/XH
-85EthKPvoszm+OPbyI16OcePV5ocX7lupRYuAo0pek7bomhmHWHz
-----END RSA PRIVATE KEY-----`
-)
-
-func init() {
-	var err error
-	if cert, err = tls.LoadX509KeyPair("cert.pem", "key.pem"); err != nil {
-		glog.V(LWARNING).Infoln(err)
-
-		cert, err = tls.X509KeyPair([]byte(rawCert), []byte(rawKey))
-		if err != nil {
-			glog.Infoln(err)
-		}
-	}
-}
-
-var (
-	cert tls.Certificate
-)
-
 type strSlice []string

 func (ss *strSlice) String() string {
@@ -118,7 +53,7 @@ func parseArgs(ss []string) (args []Args) {
 		arg := Args{
 			Addr: u.Host,
 			User: u.User,
-			Cert: cert,
+			Cert: tlsCert,
 		}

 		schemes := strings.Split(u.Scheme, "+")