mirror of
https://github.com/Luzifer/nginx-sso.git
synced 2024-12-22 13:51:18 +00:00
317 lines
9 KiB
Go
317 lines
9 KiB
Go
// Copyright 2018 The Go Authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style
|
|
// license that can be found in the LICENSE file.
|
|
|
|
// Package socks provides a SOCKS version 5 client implementation.
|
|
//
|
|
// SOCKS protocol version 5 is defined in RFC 1928.
|
|
// Username/Password authentication for SOCKS version 5 is defined in
|
|
// RFC 1929.
|
|
package socks
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
"io"
|
|
"net"
|
|
"strconv"
|
|
)
|
|
|
|
// A Command represents a SOCKS command.
|
|
type Command int
|
|
|
|
func (cmd Command) String() string {
|
|
switch cmd {
|
|
case CmdConnect:
|
|
return "socks connect"
|
|
case cmdBind:
|
|
return "socks bind"
|
|
default:
|
|
return "socks " + strconv.Itoa(int(cmd))
|
|
}
|
|
}
|
|
|
|
// An AuthMethod represents a SOCKS authentication method.
|
|
type AuthMethod int
|
|
|
|
// A Reply represents a SOCKS command reply code.
|
|
type Reply int
|
|
|
|
func (code Reply) String() string {
|
|
switch code {
|
|
case StatusSucceeded:
|
|
return "succeeded"
|
|
case 0x01:
|
|
return "general SOCKS server failure"
|
|
case 0x02:
|
|
return "connection not allowed by ruleset"
|
|
case 0x03:
|
|
return "network unreachable"
|
|
case 0x04:
|
|
return "host unreachable"
|
|
case 0x05:
|
|
return "connection refused"
|
|
case 0x06:
|
|
return "TTL expired"
|
|
case 0x07:
|
|
return "command not supported"
|
|
case 0x08:
|
|
return "address type not supported"
|
|
default:
|
|
return "unknown code: " + strconv.Itoa(int(code))
|
|
}
|
|
}
|
|
|
|
// Wire protocol constants.
|
|
const (
|
|
Version5 = 0x05
|
|
|
|
AddrTypeIPv4 = 0x01
|
|
AddrTypeFQDN = 0x03
|
|
AddrTypeIPv6 = 0x04
|
|
|
|
CmdConnect Command = 0x01 // establishes an active-open forward proxy connection
|
|
cmdBind Command = 0x02 // establishes a passive-open forward proxy connection
|
|
|
|
AuthMethodNotRequired AuthMethod = 0x00 // no authentication required
|
|
AuthMethodUsernamePassword AuthMethod = 0x02 // use username/password
|
|
AuthMethodNoAcceptableMethods AuthMethod = 0xff // no acceptable authentication methods
|
|
|
|
StatusSucceeded Reply = 0x00
|
|
)
|
|
|
|
// An Addr represents a SOCKS-specific address.
|
|
// Either Name or IP is used exclusively.
|
|
type Addr struct {
|
|
Name string // fully-qualified domain name
|
|
IP net.IP
|
|
Port int
|
|
}
|
|
|
|
func (a *Addr) Network() string { return "socks" }
|
|
|
|
func (a *Addr) String() string {
|
|
if a == nil {
|
|
return "<nil>"
|
|
}
|
|
port := strconv.Itoa(a.Port)
|
|
if a.IP == nil {
|
|
return net.JoinHostPort(a.Name, port)
|
|
}
|
|
return net.JoinHostPort(a.IP.String(), port)
|
|
}
|
|
|
|
// A Conn represents a forward proxy connection.
|
|
type Conn struct {
|
|
net.Conn
|
|
|
|
boundAddr net.Addr
|
|
}
|
|
|
|
// BoundAddr returns the address assigned by the proxy server for
|
|
// connecting to the command target address from the proxy server.
|
|
func (c *Conn) BoundAddr() net.Addr {
|
|
if c == nil {
|
|
return nil
|
|
}
|
|
return c.boundAddr
|
|
}
|
|
|
|
// A Dialer holds SOCKS-specific options.
|
|
type Dialer struct {
|
|
cmd Command // either CmdConnect or cmdBind
|
|
proxyNetwork string // network between a proxy server and a client
|
|
proxyAddress string // proxy server address
|
|
|
|
// ProxyDial specifies the optional dial function for
|
|
// establishing the transport connection.
|
|
ProxyDial func(context.Context, string, string) (net.Conn, error)
|
|
|
|
// AuthMethods specifies the list of request authention
|
|
// methods.
|
|
// If empty, SOCKS client requests only AuthMethodNotRequired.
|
|
AuthMethods []AuthMethod
|
|
|
|
// Authenticate specifies the optional authentication
|
|
// function. It must be non-nil when AuthMethods is not empty.
|
|
// It must return an error when the authentication is failed.
|
|
Authenticate func(context.Context, io.ReadWriter, AuthMethod) error
|
|
}
|
|
|
|
// DialContext connects to the provided address on the provided
|
|
// network.
|
|
//
|
|
// The returned error value may be a net.OpError. When the Op field of
|
|
// net.OpError contains "socks", the Source field contains a proxy
|
|
// server address and the Addr field contains a command target
|
|
// address.
|
|
//
|
|
// See func Dial of the net package of standard library for a
|
|
// description of the network and address parameters.
|
|
func (d *Dialer) DialContext(ctx context.Context, network, address string) (net.Conn, error) {
|
|
if err := d.validateTarget(network, address); err != nil {
|
|
proxy, dst, _ := d.pathAddrs(address)
|
|
return nil, &net.OpError{Op: d.cmd.String(), Net: network, Source: proxy, Addr: dst, Err: err}
|
|
}
|
|
if ctx == nil {
|
|
proxy, dst, _ := d.pathAddrs(address)
|
|
return nil, &net.OpError{Op: d.cmd.String(), Net: network, Source: proxy, Addr: dst, Err: errors.New("nil context")}
|
|
}
|
|
var err error
|
|
var c net.Conn
|
|
if d.ProxyDial != nil {
|
|
c, err = d.ProxyDial(ctx, d.proxyNetwork, d.proxyAddress)
|
|
} else {
|
|
var dd net.Dialer
|
|
c, err = dd.DialContext(ctx, d.proxyNetwork, d.proxyAddress)
|
|
}
|
|
if err != nil {
|
|
proxy, dst, _ := d.pathAddrs(address)
|
|
return nil, &net.OpError{Op: d.cmd.String(), Net: network, Source: proxy, Addr: dst, Err: err}
|
|
}
|
|
a, err := d.connect(ctx, c, address)
|
|
if err != nil {
|
|
c.Close()
|
|
proxy, dst, _ := d.pathAddrs(address)
|
|
return nil, &net.OpError{Op: d.cmd.String(), Net: network, Source: proxy, Addr: dst, Err: err}
|
|
}
|
|
return &Conn{Conn: c, boundAddr: a}, nil
|
|
}
|
|
|
|
// DialWithConn initiates a connection from SOCKS server to the target
|
|
// network and address using the connection c that is already
|
|
// connected to the SOCKS server.
|
|
//
|
|
// It returns the connection's local address assigned by the SOCKS
|
|
// server.
|
|
func (d *Dialer) DialWithConn(ctx context.Context, c net.Conn, network, address string) (net.Addr, error) {
|
|
if err := d.validateTarget(network, address); err != nil {
|
|
proxy, dst, _ := d.pathAddrs(address)
|
|
return nil, &net.OpError{Op: d.cmd.String(), Net: network, Source: proxy, Addr: dst, Err: err}
|
|
}
|
|
if ctx == nil {
|
|
proxy, dst, _ := d.pathAddrs(address)
|
|
return nil, &net.OpError{Op: d.cmd.String(), Net: network, Source: proxy, Addr: dst, Err: errors.New("nil context")}
|
|
}
|
|
a, err := d.connect(ctx, c, address)
|
|
if err != nil {
|
|
proxy, dst, _ := d.pathAddrs(address)
|
|
return nil, &net.OpError{Op: d.cmd.String(), Net: network, Source: proxy, Addr: dst, Err: err}
|
|
}
|
|
return a, nil
|
|
}
|
|
|
|
// Dial connects to the provided address on the provided network.
|
|
//
|
|
// Unlike DialContext, it returns a raw transport connection instead
|
|
// of a forward proxy connection.
|
|
//
|
|
// Deprecated: Use DialContext or DialWithConn instead.
|
|
func (d *Dialer) Dial(network, address string) (net.Conn, error) {
|
|
if err := d.validateTarget(network, address); err != nil {
|
|
proxy, dst, _ := d.pathAddrs(address)
|
|
return nil, &net.OpError{Op: d.cmd.String(), Net: network, Source: proxy, Addr: dst, Err: err}
|
|
}
|
|
var err error
|
|
var c net.Conn
|
|
if d.ProxyDial != nil {
|
|
c, err = d.ProxyDial(context.Background(), d.proxyNetwork, d.proxyAddress)
|
|
} else {
|
|
c, err = net.Dial(d.proxyNetwork, d.proxyAddress)
|
|
}
|
|
if err != nil {
|
|
proxy, dst, _ := d.pathAddrs(address)
|
|
return nil, &net.OpError{Op: d.cmd.String(), Net: network, Source: proxy, Addr: dst, Err: err}
|
|
}
|
|
if _, err := d.DialWithConn(context.Background(), c, network, address); err != nil {
|
|
c.Close()
|
|
return nil, err
|
|
}
|
|
return c, nil
|
|
}
|
|
|
|
func (d *Dialer) validateTarget(network, address string) error {
|
|
switch network {
|
|
case "tcp", "tcp6", "tcp4":
|
|
default:
|
|
return errors.New("network not implemented")
|
|
}
|
|
switch d.cmd {
|
|
case CmdConnect, cmdBind:
|
|
default:
|
|
return errors.New("command not implemented")
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func (d *Dialer) pathAddrs(address string) (proxy, dst net.Addr, err error) {
|
|
for i, s := range []string{d.proxyAddress, address} {
|
|
host, port, err := splitHostPort(s)
|
|
if err != nil {
|
|
return nil, nil, err
|
|
}
|
|
a := &Addr{Port: port}
|
|
a.IP = net.ParseIP(host)
|
|
if a.IP == nil {
|
|
a.Name = host
|
|
}
|
|
if i == 0 {
|
|
proxy = a
|
|
} else {
|
|
dst = a
|
|
}
|
|
}
|
|
return
|
|
}
|
|
|
|
// NewDialer returns a new Dialer that dials through the provided
|
|
// proxy server's network and address.
|
|
func NewDialer(network, address string) *Dialer {
|
|
return &Dialer{proxyNetwork: network, proxyAddress: address, cmd: CmdConnect}
|
|
}
|
|
|
|
const (
|
|
authUsernamePasswordVersion = 0x01
|
|
authStatusSucceeded = 0x00
|
|
)
|
|
|
|
// UsernamePassword are the credentials for the username/password
|
|
// authentication method.
|
|
type UsernamePassword struct {
|
|
Username string
|
|
Password string
|
|
}
|
|
|
|
// Authenticate authenticates a pair of username and password with the
|
|
// proxy server.
|
|
func (up *UsernamePassword) Authenticate(ctx context.Context, rw io.ReadWriter, auth AuthMethod) error {
|
|
switch auth {
|
|
case AuthMethodNotRequired:
|
|
return nil
|
|
case AuthMethodUsernamePassword:
|
|
if len(up.Username) == 0 || len(up.Username) > 255 || len(up.Password) == 0 || len(up.Password) > 255 {
|
|
return errors.New("invalid username/password")
|
|
}
|
|
b := []byte{authUsernamePasswordVersion}
|
|
b = append(b, byte(len(up.Username)))
|
|
b = append(b, up.Username...)
|
|
b = append(b, byte(len(up.Password)))
|
|
b = append(b, up.Password...)
|
|
// TODO(mikio): handle IO deadlines and cancelation if
|
|
// necessary
|
|
if _, err := rw.Write(b); err != nil {
|
|
return err
|
|
}
|
|
if _, err := io.ReadFull(rw, b[:2]); err != nil {
|
|
return err
|
|
}
|
|
if b[0] != authUsernamePasswordVersion {
|
|
return errors.New("invalid username/password version")
|
|
}
|
|
if b[1] != authStatusSucceeded {
|
|
return errors.New("username/password authentication failed")
|
|
}
|
|
return nil
|
|
}
|
|
return errors.New("unsupported authentication method " + strconv.Itoa(int(auth)))
|
|
}
|