| // Copyright 2018 The Go Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style |
| // license that can be found in the LICENSE file. |
| |
| // Package socks provides a SOCKS version 5 client implementation. |
| // |
| // SOCKS protocol version 5 is defined in RFC 1928. |
| // Username/Password authentication for SOCKS version 5 is defined in |
| // RFC 1929. |
| package socks |
| |
| import ( |
| "context" |
| "errors" |
| "io" |
| "net" |
| "strconv" |
| ) |
| |
| // A Command represents a SOCKS command. |
| type Command int |
| |
| func (cmd Command) String() string { |
| switch cmd { |
| case CmdConnect: |
| return "socks connect" |
| case cmdBind: |
| return "socks bind" |
| default: |
| return "socks " + strconv.Itoa(int(cmd)) |
| } |
| } |
| |
| // An AuthMethod represents a SOCKS authentication method. |
| type AuthMethod int |
| |
| // A Reply represents a SOCKS command reply code. |
| type Reply int |
| |
| func (code Reply) String() string { |
| switch code { |
| case StatusSucceeded: |
| return "succeeded" |
| case 0x01: |
| return "general SOCKS server failure" |
| case 0x02: |
| return "connection not allowed by ruleset" |
| case 0x03: |
| return "network unreachable" |
| case 0x04: |
| return "host unreachable" |
| case 0x05: |
| return "connection refused" |
| case 0x06: |
| return "TTL expired" |
| case 0x07: |
| return "command not supported" |
| case 0x08: |
| return "address type not supported" |
| default: |
| return "unknown code: " + strconv.Itoa(int(code)) |
| } |
| } |
| |
| // Wire protocol constants. |
| const ( |
| Version5 = 0x05 |
| |
| AddrTypeIPv4 = 0x01 |
| AddrTypeFQDN = 0x03 |
| AddrTypeIPv6 = 0x04 |
| |
| CmdConnect Command = 0x01 // establishes an active-open forward proxy connection |
| cmdBind Command = 0x02 // establishes a passive-open forward proxy connection |
| |
| AuthMethodNotRequired AuthMethod = 0x00 // no authentication required |
| AuthMethodUsernamePassword AuthMethod = 0x02 // use username/password |
| AuthMethodNoAcceptableMethods AuthMethod = 0xff // no acceptable authentication methods |
| |
| StatusSucceeded Reply = 0x00 |
| ) |
| |
| // An Addr represents a SOCKS-specific address. |
| // Either Name or IP is used exclusively. |
| type Addr struct { |
| Name string // fully-qualified domain name |
| IP net.IP |
| Port int |
| } |
| |
| func (a *Addr) Network() string { return "socks" } |
| |
| func (a *Addr) String() string { |
| if a == nil { |
| return "<nil>" |
| } |
| port := strconv.Itoa(a.Port) |
| if a.IP == nil { |
| return net.JoinHostPort(a.Name, port) |
| } |
| return net.JoinHostPort(a.IP.String(), port) |
| } |
| |
| // A Conn represents a forward proxy connection. |
| type Conn struct { |
| net.Conn |
| |
| boundAddr net.Addr |
| } |
| |
| // BoundAddr returns the address assigned by the proxy server for |
| // connecting to the command target address from the proxy server. |
| func (c *Conn) BoundAddr() net.Addr { |
| if c == nil { |
| return nil |
| } |
| return c.boundAddr |
| } |
| |
| // A Dialer holds SOCKS-specific options. |
| type Dialer struct { |
| cmd Command // either CmdConnect or cmdBind |
| proxyNetwork string // network between a proxy server and a client |
| proxyAddress string // proxy server address |
| |
| // ProxyDial specifies the optional dial function for |
| // establishing the transport connection. |
| ProxyDial func(context.Context, string, string) (net.Conn, error) |
| |
| // AuthMethods specifies the list of request authentication |
| // methods. |
| // If empty, SOCKS client requests only AuthMethodNotRequired. |
| AuthMethods []AuthMethod |
| |
| // Authenticate specifies the optional authentication |
| // function. It must be non-nil when AuthMethods is not empty. |
| // It must return an error when the authentication is failed. |
| Authenticate func(context.Context, io.ReadWriter, AuthMethod) error |
| } |
| |
| // DialContext connects to the provided address on the provided |
| // network. |
| // |
| // The returned error value may be a net.OpError. When the Op field of |
| // net.OpError contains "socks", the Source field contains a proxy |
| // server address and the Addr field contains a command target |
| // address. |
| // |
| // See func Dial of the net package of standard library for a |
| // description of the network and address parameters. |
| func (d *Dialer) DialContext(ctx context.Context, network, address string) (net.Conn, error) { |
| if err := d.validateTarget(network, address); err != nil { |
| proxy, dst, _ := d.pathAddrs(address) |
| return nil, &net.OpError{Op: d.cmd.String(), Net: network, Source: proxy, Addr: dst, Err: err} |
| } |
| if ctx == nil { |
| proxy, dst, _ := d.pathAddrs(address) |
| return nil, &net.OpError{Op: d.cmd.String(), Net: network, Source: proxy, Addr: dst, Err: errors.New("nil context")} |
| } |
| var err error |
| var c net.Conn |
| if d.ProxyDial != nil { |
| c, err = d.ProxyDial(ctx, d.proxyNetwork, d.proxyAddress) |
| } else { |
| var dd net.Dialer |
| c, err = dd.DialContext(ctx, d.proxyNetwork, d.proxyAddress) |
| } |
| if err != nil { |
| proxy, dst, _ := d.pathAddrs(address) |
| return nil, &net.OpError{Op: d.cmd.String(), Net: network, Source: proxy, Addr: dst, Err: err} |
| } |
| a, err := d.connect(ctx, c, address) |
| if err != nil { |
| c.Close() |
| proxy, dst, _ := d.pathAddrs(address) |
| return nil, &net.OpError{Op: d.cmd.String(), Net: network, Source: proxy, Addr: dst, Err: err} |
| } |
| return &Conn{Conn: c, boundAddr: a}, nil |
| } |
| |
| // DialWithConn initiates a connection from SOCKS server to the target |
| // network and address using the connection c that is already |
| // connected to the SOCKS server. |
| // |
| // It returns the connection's local address assigned by the SOCKS |
| // server. |
| func (d *Dialer) DialWithConn(ctx context.Context, c net.Conn, network, address string) (net.Addr, error) { |
| if err := d.validateTarget(network, address); err != nil { |
| proxy, dst, _ := d.pathAddrs(address) |
| return nil, &net.OpError{Op: d.cmd.String(), Net: network, Source: proxy, Addr: dst, Err: err} |
| } |
| if ctx == nil { |
| proxy, dst, _ := d.pathAddrs(address) |
| return nil, &net.OpError{Op: d.cmd.String(), Net: network, Source: proxy, Addr: dst, Err: errors.New("nil context")} |
| } |
| a, err := d.connect(ctx, c, address) |
| if err != nil { |
| proxy, dst, _ := d.pathAddrs(address) |
| return nil, &net.OpError{Op: d.cmd.String(), Net: network, Source: proxy, Addr: dst, Err: err} |
| } |
| return a, nil |
| } |
| |
| // Dial connects to the provided address on the provided network. |
| // |
| // Unlike DialContext, it returns a raw transport connection instead |
| // of a forward proxy connection. |
| // |
| // Deprecated: Use DialContext or DialWithConn instead. |
| func (d *Dialer) Dial(network, address string) (net.Conn, error) { |
| if err := d.validateTarget(network, address); err != nil { |
| proxy, dst, _ := d.pathAddrs(address) |
| return nil, &net.OpError{Op: d.cmd.String(), Net: network, Source: proxy, Addr: dst, Err: err} |
| } |
| var err error |
| var c net.Conn |
| if d.ProxyDial != nil { |
| c, err = d.ProxyDial(context.Background(), d.proxyNetwork, d.proxyAddress) |
| } else { |
| c, err = net.Dial(d.proxyNetwork, d.proxyAddress) |
| } |
| if err != nil { |
| proxy, dst, _ := d.pathAddrs(address) |
| return nil, &net.OpError{Op: d.cmd.String(), Net: network, Source: proxy, Addr: dst, Err: err} |
| } |
| if _, err := d.DialWithConn(context.Background(), c, network, address); err != nil { |
| c.Close() |
| return nil, err |
| } |
| return c, nil |
| } |
| |
| func (d *Dialer) validateTarget(network, address string) error { |
| switch network { |
| case "tcp", "tcp6", "tcp4": |
| default: |
| return errors.New("network not implemented") |
| } |
| switch d.cmd { |
| case CmdConnect, cmdBind: |
| default: |
| return errors.New("command not implemented") |
| } |
| return nil |
| } |
| |
| func (d *Dialer) pathAddrs(address string) (proxy, dst net.Addr, err error) { |
| for i, s := range []string{d.proxyAddress, address} { |
| host, port, err := splitHostPort(s) |
| if err != nil { |
| return nil, nil, err |
| } |
| a := &Addr{Port: port} |
| a.IP = net.ParseIP(host) |
| if a.IP == nil { |
| a.Name = host |
| } |
| if i == 0 { |
| proxy = a |
| } else { |
| dst = a |
| } |
| } |
| return |
| } |
| |
| // NewDialer returns a new Dialer that dials through the provided |
| // proxy server's network and address. |
| func NewDialer(network, address string) *Dialer { |
| return &Dialer{proxyNetwork: network, proxyAddress: address, cmd: CmdConnect} |
| } |
| |
| const ( |
| authUsernamePasswordVersion = 0x01 |
| authStatusSucceeded = 0x00 |
| ) |
| |
| // UsernamePassword are the credentials for the username/password |
| // authentication method. |
| type UsernamePassword struct { |
| Username string |
| Password string |
| } |
| |
| // Authenticate authenticates a pair of username and password with the |
| // proxy server. |
| func (up *UsernamePassword) Authenticate(ctx context.Context, rw io.ReadWriter, auth AuthMethod) error { |
| switch auth { |
| case AuthMethodNotRequired: |
| return nil |
| case AuthMethodUsernamePassword: |
| if len(up.Username) == 0 || len(up.Username) > 255 || len(up.Password) == 0 || len(up.Password) > 255 { |
| return errors.New("invalid username/password") |
| } |
| b := []byte{authUsernamePasswordVersion} |
| b = append(b, byte(len(up.Username))) |
| b = append(b, up.Username...) |
| b = append(b, byte(len(up.Password))) |
| b = append(b, up.Password...) |
| // TODO(mikio): handle IO deadlines and cancelation if |
| // necessary |
| if _, err := rw.Write(b); err != nil { |
| return err |
| } |
| if _, err := io.ReadFull(rw, b[:2]); err != nil { |
| return err |
| } |
| if b[0] != authUsernamePasswordVersion { |
| return errors.New("invalid username/password version") |
| } |
| if b[1] != authStatusSucceeded { |
| return errors.New("username/password authentication failed") |
| } |
| return nil |
| } |
| return errors.New("unsupported authentication method " + strconv.Itoa(int(auth))) |
| } |
