mirror of https://github.com/ginuerzh/gost
rui.zheng
9 years ago
21 changed files with 912 additions and 36 deletions
@ -0,0 +1,21 @@ |
|||
MIT License |
|||
|
|||
Copyright (c) 2017 ginuerzh |
|||
|
|||
Permission is hereby granted, free of charge, to any person obtaining a copy |
|||
of this software and associated documentation files (the "Software"), to deal |
|||
in the Software without restriction, including without limitation the rights |
|||
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell |
|||
copies of the Software, and to permit persons to whom the Software is |
|||
furnished to do so, subject to the following conditions: |
|||
|
|||
The above copyright notice and this permission notice shall be included in all |
|||
copies or substantial portions of the Software. |
|||
|
|||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR |
|||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, |
|||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE |
|||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER |
|||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, |
|||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE |
|||
SOFTWARE. |
|||
@ -0,0 +1,2 @@ |
|||
# gosocks4 |
|||
golang and SOCKS4(a) |
|||
@ -0,0 +1,252 @@ |
|||
// SOCKS Protocol Version 4(a)
|
|||
// https://www.openssh.com/txt/socks4.protocol
|
|||
// https://www.openssh.com/txt/socks4a.protocol
|
|||
package gosocks4 |
|||
|
|||
import ( |
|||
"bufio" |
|||
"encoding/binary" |
|||
"errors" |
|||
"fmt" |
|||
"io" |
|||
"net" |
|||
"strconv" |
|||
) |
|||
|
|||
const ( |
|||
Ver4 = 4 |
|||
) |
|||
|
|||
const ( |
|||
CmdConnect uint8 = 1 |
|||
CmdBind = 2 |
|||
) |
|||
|
|||
const ( |
|||
AddrIPv4 = 0 |
|||
AddrDomain = 1 |
|||
) |
|||
|
|||
const ( |
|||
Granted = 90 |
|||
Failed = 91 |
|||
Rejected = 92 |
|||
RejectedUserid = 93 |
|||
) |
|||
|
|||
var ( |
|||
ErrBadVersion = errors.New("Bad version") |
|||
ErrBadFormat = errors.New("Bad format") |
|||
ErrBadAddrType = errors.New("Bad address type") |
|||
ErrShortDataLength = errors.New("Short data length") |
|||
ErrBadCmd = errors.New("Bad Command") |
|||
) |
|||
|
|||
type Addr struct { |
|||
Type int |
|||
Host string |
|||
Port uint16 |
|||
} |
|||
|
|||
func (addr *Addr) Decode(b []byte) error { |
|||
if len(b) < 6 { |
|||
return ErrShortDataLength |
|||
} |
|||
|
|||
addr.Port = binary.BigEndian.Uint16(b[0:2]) |
|||
addr.Host = net.IP(b[2 : 2+net.IPv4len]).String() |
|||
|
|||
if b[2]|b[3]|b[4] == 0 { |
|||
addr.Type = AddrDomain |
|||
} |
|||
|
|||
return nil |
|||
} |
|||
|
|||
func (addr *Addr) Encode(b []byte) error { |
|||
if len(b) < 6 { |
|||
return ErrShortDataLength |
|||
} |
|||
|
|||
binary.BigEndian.PutUint16(b[0:2], addr.Port) |
|||
|
|||
switch addr.Type { |
|||
case AddrIPv4: |
|||
ip4 := net.ParseIP(addr.Host).To4() |
|||
if ip4 == nil { |
|||
return ErrBadAddrType |
|||
} |
|||
copy(b[2:], ip4) |
|||
case AddrDomain: |
|||
ip4 := net.IPv4(0, 0, 0, 1) |
|||
copy(b[2:], ip4) |
|||
default: |
|||
return ErrBadAddrType |
|||
} |
|||
|
|||
return nil |
|||
} |
|||
|
|||
func (addr *Addr) String() string { |
|||
return net.JoinHostPort(addr.Host, strconv.Itoa(int(addr.Port))) |
|||
} |
|||
|
|||
/* |
|||
+----+----+----+----+----+----+----+----+----+----+....+----+ |
|||
| VN | CD | DSTPORT | DSTIP | USERID |NULL| |
|||
+----+----+----+----+----+----+----+----+----+----+....+----+ |
|||
1 1 2 4 variable 1 |
|||
*/ |
|||
type Request struct { |
|||
Cmd uint8 |
|||
Addr *Addr |
|||
Userid []byte |
|||
} |
|||
|
|||
func NewRequest(cmd uint8, addr *Addr, userid []byte) *Request { |
|||
return &Request{ |
|||
Cmd: cmd, |
|||
Addr: addr, |
|||
Userid: userid, |
|||
} |
|||
} |
|||
|
|||
func ReadRequest(r io.Reader) (*Request, error) { |
|||
br := bufio.NewReader(r) |
|||
b, err := br.Peek(8) |
|||
if err != nil { |
|||
return nil, err |
|||
} |
|||
|
|||
if b[0] != Ver4 { |
|||
return nil, ErrBadVersion |
|||
} |
|||
|
|||
request := &Request{ |
|||
Cmd: b[1], |
|||
} |
|||
|
|||
addr := &Addr{} |
|||
if err := addr.Decode(b[2:8]); err != nil { |
|||
return nil, err |
|||
} |
|||
request.Addr = addr |
|||
|
|||
if _, err := br.Discard(8); err != nil { |
|||
return nil, err |
|||
} |
|||
b, err = br.ReadBytes(0) |
|||
if err != nil { |
|||
return nil, err |
|||
} |
|||
request.Userid = b[:len(b)-1] |
|||
|
|||
if request.Addr.Type == AddrDomain { |
|||
b, err = br.ReadBytes(0) |
|||
if err != nil { |
|||
return nil, err |
|||
} |
|||
request.Addr.Host = string(b[:len(b)-1]) |
|||
} |
|||
|
|||
return request, nil |
|||
} |
|||
|
|||
func (r *Request) Write(w io.Writer) (err error) { |
|||
bw := bufio.NewWriter(w) |
|||
bw.Write([]byte{Ver4, r.Cmd}) |
|||
|
|||
if r.Addr == nil { |
|||
return ErrBadAddrType |
|||
} |
|||
|
|||
var b [6]byte |
|||
if err = r.Addr.Encode(b[:]); err != nil { |
|||
return |
|||
} |
|||
bw.Write(b[:]) |
|||
|
|||
if len(r.Userid) > 0 { |
|||
bw.Write(r.Userid) |
|||
} |
|||
bw.WriteByte(0) |
|||
|
|||
if r.Addr.Type == AddrDomain { |
|||
bw.WriteString(r.Addr.Host) |
|||
bw.WriteByte(0) |
|||
} |
|||
|
|||
return bw.Flush() |
|||
} |
|||
|
|||
func (r *Request) String() string { |
|||
addr := r.Addr |
|||
if addr == nil { |
|||
addr = &Addr{} |
|||
} |
|||
return fmt.Sprintf("%d %d %s", Ver4, r.Cmd, addr.String()) |
|||
} |
|||
|
|||
/* |
|||
+----+----+----+----+----+----+----+----+ |
|||
| VN | CD | DSTPORT | DSTIP | |
|||
+----+----+----+----+----+----+----+----+ |
|||
1 1 2 4 |
|||
*/ |
|||
type Reply struct { |
|||
Code uint8 |
|||
Addr *Addr |
|||
} |
|||
|
|||
func NewReply(code uint8, addr *Addr) *Reply { |
|||
return &Reply{ |
|||
Code: code, |
|||
Addr: addr, |
|||
} |
|||
} |
|||
|
|||
func ReadReply(r io.Reader) (*Reply, error) { |
|||
var b [8]byte |
|||
|
|||
_, err := io.ReadFull(r, b[:]) |
|||
if err != nil { |
|||
return nil, err |
|||
} |
|||
|
|||
if b[0] != 0 { |
|||
return nil, ErrBadVersion |
|||
} |
|||
|
|||
reply := &Reply{ |
|||
Code: b[1], |
|||
} |
|||
|
|||
reply.Addr = &Addr{} |
|||
if err := reply.Addr.Decode(b[2:]); err != nil { |
|||
return nil, err |
|||
} |
|||
|
|||
return reply, nil |
|||
} |
|||
|
|||
func (r *Reply) Write(w io.Writer) (err error) { |
|||
var b [8]byte |
|||
|
|||
b[1] = r.Code |
|||
if r.Addr != nil { |
|||
if err = r.Addr.Encode(b[2:]); err != nil { |
|||
return |
|||
} |
|||
} |
|||
|
|||
_, err = w.Write(b[:]) |
|||
return |
|||
} |
|||
|
|||
func (r *Reply) String() string { |
|||
addr := r.Addr |
|||
if addr == nil { |
|||
addr = &Addr{} |
|||
} |
|||
return fmt.Sprintf("0 %d %s", r.Code, addr.String()) |
|||
} |
|||
@ -0,0 +1,152 @@ |
|||
SOCKS: A protocol for TCP proxy across firewalls |
|||
|
|||
Ying-Da Lee |
|||
Principal Member Technical Staff |
|||
NEC Systems Laboratory, CSTC |
|||
[email protected] |
|||
|
|||
SOCKS was originally developed by David Koblas and subsequently modified |
|||
and extended by me to its current running version -- version 4. It is a |
|||
protocol that relays TCP sessions at a firewall host to allow application |
|||
users transparent access across the firewall. Because the protocol is |
|||
independent of application protocols, it can be (and has been) used for |
|||
many different services, such as telnet, ftp, finger, whois, gopher, WWW, |
|||
etc. Access control can be applied at the beginning of each TCP session; |
|||
thereafter the server simply relays the data between the client and the |
|||
application server, incurring minimum processing overhead. Since SOCKS |
|||
never has to know anything about the application protocol, it should also |
|||
be easy for it to accommodate applications which use encryption to protect |
|||
their traffic from nosey snoopers. |
|||
|
|||
Two operations are defined: CONNECT and BIND. |
|||
|
|||
1) CONNECT |
|||
|
|||
The client connects to the SOCKS server and sends a CONNECT request when |
|||
it wants to establish a connection to an application server. The client |
|||
includes in the request packet the IP address and the port number of the |
|||
destination host, and userid, in the following format. |
|||
|
|||
+----+----+----+----+----+----+----+----+----+----+....+----+ |
|||
| VN | CD | DSTPORT | DSTIP | USERID |NULL| |
|||
+----+----+----+----+----+----+----+----+----+----+....+----+ |
|||
# of bytes: 1 1 2 4 variable 1 |
|||
|
|||
VN is the SOCKS protocol version number and should be 4. CD is the |
|||
SOCKS command code and should be 1 for CONNECT request. NULL is a byte |
|||
of all zero bits. |
|||
|
|||
The SOCKS server checks to see whether such a request should be granted |
|||
based on any combination of source IP address, destination IP address, |
|||
destination port number, the userid, and information it may obtain by |
|||
consulting IDENT, cf. RFC 1413. If the request is granted, the SOCKS |
|||
server makes a connection to the specified port of the destination host. |
|||
A reply packet is sent to the client when this connection is established, |
|||
or when the request is rejected or the operation fails. |
|||
|
|||
+----+----+----+----+----+----+----+----+ |
|||
| VN | CD | DSTPORT | DSTIP | |
|||
+----+----+----+----+----+----+----+----+ |
|||
# of bytes: 1 1 2 4 |
|||
|
|||
VN is the version of the reply code and should be 0. CD is the result |
|||
code with one of the following values: |
|||
|
|||
90: request granted |
|||
91: request rejected or failed |
|||
92: request rejected becasue SOCKS server cannot connect to |
|||
identd on the client |
|||
93: request rejected because the client program and identd |
|||
report different user-ids |
|||
|
|||
The remaining fields are ignored. |
|||
|
|||
The SOCKS server closes its connection immediately after notifying |
|||
the client of a failed or rejected request. For a successful request, |
|||
the SOCKS server gets ready to relay traffic on both directions. This |
|||
enables the client to do I/O on its connection as if it were directly |
|||
connected to the application server. |
|||
|
|||
|
|||
2) BIND |
|||
|
|||
The client connects to the SOCKS server and sends a BIND request when |
|||
it wants to prepare for an inbound connection from an application server. |
|||
This should only happen after a primary connection to the application |
|||
server has been established with a CONNECT. Typically, this is part of |
|||
the sequence of actions: |
|||
|
|||
-bind(): obtain a socket |
|||
-getsockname(): get the IP address and port number of the socket |
|||
-listen(): ready to accept call from the application server |
|||
-use the primary connection to inform the application server of |
|||
the IP address and the port number that it should connect to. |
|||
-accept(): accept a connection from the application server |
|||
|
|||
The purpose of SOCKS BIND operation is to support such a sequence |
|||
but using a socket on the SOCKS server rather than on the client. |
|||
|
|||
The client includes in the request packet the IP address of the |
|||
application server, the destination port used in the primary connection, |
|||
and the userid. |
|||
|
|||
+----+----+----+----+----+----+----+----+----+----+....+----+ |
|||
| VN | CD | DSTPORT | DSTIP | USERID |NULL| |
|||
+----+----+----+----+----+----+----+----+----+----+....+----+ |
|||
# of bytes: 1 1 2 4 variable 1 |
|||
|
|||
VN is again 4 for the SOCKS protocol version number. CD must be 2 to |
|||
indicate BIND request. |
|||
|
|||
The SOCKS server uses the client information to decide whether the |
|||
request is to be granted. The reply it sends back to the client has |
|||
the same format as the reply for CONNECT request, i.e., |
|||
|
|||
+----+----+----+----+----+----+----+----+ |
|||
| VN | CD | DSTPORT | DSTIP | |
|||
+----+----+----+----+----+----+----+----+ |
|||
# of bytes: 1 1 2 4 |
|||
|
|||
VN is the version of the reply code and should be 0. CD is the result |
|||
code with one of the following values: |
|||
|
|||
90: request granted |
|||
91: request rejected or failed |
|||
92: request rejected becasue SOCKS server cannot connect to |
|||
identd on the client |
|||
93: request rejected because the client program and identd |
|||
report different user-ids. |
|||
|
|||
However, for a granted request (CD is 90), the DSTPORT and DSTIP fields |
|||
are meaningful. In that case, the SOCKS server obtains a socket to wait |
|||
for an incoming connection and sends the port number and the IP address |
|||
of that socket to the client in DSTPORT and DSTIP, respectively. If the |
|||
DSTIP in the reply is 0 (the value of constant INADDR_ANY), then the |
|||
client should replace it by the IP address of the SOCKS server to which |
|||
the cleint is connected. (This happens if the SOCKS server is not a |
|||
multi-homed host.) In the typical scenario, these two numbers are |
|||
made available to the application client prgram via the result of the |
|||
subsequent getsockname() call. The application protocol must provide a |
|||
way for these two pieces of information to be sent from the client to |
|||
the application server so that it can initiate the connection, which |
|||
connects it to the SOCKS server rather than directly to the application |
|||
client as it normally would. |
|||
|
|||
The SOCKS server sends a second reply packet to the client when the |
|||
anticipated connection from the application server is established. |
|||
The SOCKS server checks the IP address of the originating host against |
|||
the value of DSTIP specified in the client's BIND request. If a mismatch |
|||
is found, the CD field in the second reply is set to 91 and the SOCKS |
|||
server closes both connections. If the two match, CD in the second |
|||
reply is set to 90 and the SOCKS server gets ready to relay the traffic |
|||
on its two connections. From then on the client does I/O on its connection |
|||
to the SOCKS server as if it were directly connected to the application |
|||
server. |
|||
|
|||
|
|||
|
|||
For both CONNECT and BIND operations, the server sets a time limit |
|||
(2 minutes in current CSTC implementation) for the establishment of its |
|||
connection with the application server. If the connection is still not |
|||
establiched when the time limit expires, the server closes its connection |
|||
to the client and gives up. |
|||
@ -0,0 +1,39 @@ |
|||
SOCKS 4A: A Simple Extension to SOCKS 4 Protocol |
|||
|
|||
Ying-Da Lee |
|||
[email protected] or [email protected] |
|||
|
|||
Please read SOCKS4.protocol first for an description of the version 4 |
|||
protocol. This extension is intended to allow the use of SOCKS on hosts |
|||
which are not capable of resolving all domain names. |
|||
|
|||
In version 4, the client sends the following packet to the SOCKS server |
|||
to request a CONNECT or a BIND operation: |
|||
|
|||
+----+----+----+----+----+----+----+----+----+----+....+----+ |
|||
| VN | CD | DSTPORT | DSTIP | USERID |NULL| |
|||
+----+----+----+----+----+----+----+----+----+----+....+----+ |
|||
# of bytes: 1 1 2 4 variable 1 |
|||
|
|||
VN is the SOCKS protocol version number and should be 4. CD is the |
|||
SOCKS command code and should be 1 for CONNECT or 2 for BIND. NULL |
|||
is a byte of all zero bits. |
|||
|
|||
For version 4A, if the client cannot resolve the destination host's |
|||
domain name to find its IP address, it should set the first three bytes |
|||
of DSTIP to NULL and the last byte to a non-zero value. (This corresponds |
|||
to IP address 0.0.0.x, with x nonzero. As decreed by IANA -- The |
|||
Internet Assigned Numbers Authority -- such an address is inadmissible |
|||
as a destination IP address and thus should never occur if the client |
|||
can resolve the domain name.) Following the NULL byte terminating |
|||
USERID, the client must sends the destination domain name and termiantes |
|||
it with another NULL byte. This is used for both CONNECT and BIND requests. |
|||
|
|||
A server using protocol 4A must check the DSTIP in the request packet. |
|||
If it represent address 0.0.0.x with nonzero x, the server must read |
|||
in the domain name that the client sends in the packet. The server |
|||
should resolve the domain name and make connection to the destination |
|||
host if it can. |
|||
|
|||
SOCKSified sockd may pass domain names that it cannot resolve to |
|||
the next-hop SOCKS server. |
|||
Loading…
Reference in new issue