yosoyhendrix
/
psiphon-tunnel-core
mirror of https://github.com/Psiphon-Labs/psiphon-tunnel-core


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300
							/*
 * Copyright (c) 2015, Psiphon Inc.
 * All rights reserved.
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 *
 */
/*
 * Copyright (c) 2014, Yawning Angel <yawning at torproject dot org>
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are met:
 *
 *  * Redistributions of source code must retain the above copyright notice,
 *    this list of conditions and the following disclaimer.
 *
 *  * Redistributions in binary form must reproduce the above copyright notice,
 *    this list of conditions and the following disclaimer in the documentation
 *    and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 * POSSIBILITY OF SUCH DAMAGE.
 */

package upstreamproxy

import (
	"bufio"
	"fmt"
	"net"
	"net/http"
	"net/http/httputil"
	"net/url"
	"time"

	"github.com/Psiphon-Labs/psiphon-tunnel-core/psiphon/common"
	"golang.org/x/net/proxy"
)

// httpProxy is a HTTP connect proxy.
type httpProxy struct {
	hostPort      string
	username      string
	password      string
	forward       proxy.Dialer
	customHeaders http.Header
}

func newHTTP(uri *url.URL, forward proxy.Dialer) (proxy.Dialer, error) {
	hp := new(httpProxy)
	hp.hostPort = uri.Host
	hp.forward = forward
	if uri.User != nil {
		hp.username = uri.User.Username()
		hp.password, _ = uri.User.Password()
	}

	if upstreamProxyConfig, ok := forward.(*UpstreamProxyConfig); ok {
		hp.customHeaders = upstreamProxyConfig.CustomHeaders
	}

	return hp, nil
}

func (hp *httpProxy) Dial(network, addr string) (net.Conn, error) {
	// Dial and create the http client connection.
	pc := &proxyConn{
		authState:     HTTP_AUTH_STATE_UNCHALLENGED,
		dialFn:        hp.forward.Dial,
		proxyAddr:     hp.hostPort,
		customHeaders: hp.customHeaders,
	}
	err := pc.makeNewClientConn()
	if err != nil {
		// Already wrapped in proxyError
		return nil, err
	}

handshakeLoop:
	for {
		err := pc.handshake(addr, hp.username, hp.password)
		if err != nil {
			// Already wrapped in proxyError
			return nil, err
		}
		switch pc.authState {
		case HTTP_AUTH_STATE_SUCCESS:
			pc.hijackedConn, pc.staleReader = pc.httpClientConn.Hijack()
			return pc, nil
		case HTTP_AUTH_STATE_CHALLENGED:
			continue
		default:
			break handshakeLoop
		}
	}
	return nil, proxyError(fmt.Errorf("unknown handshake error in state %v", pc.authState))
}

type proxyConn struct {
	dialFn         DialFunc
	proxyAddr      string
	customHeaders  http.Header
	httpClientConn *httputil.ClientConn //lint:ignore SA1019 httputil.ClientConn used for client-side hijack
	hijackedConn   net.Conn
	staleReader    *bufio.Reader
	authResponse   *http.Response
	authState      HttpAuthState
	authenticator  HttpAuthenticator
}

func (pc *proxyConn) handshake(addr, username, password string) error {
	// HACK: prefix addr of the form 'hostname:port' with a 'http' scheme
	// so it could be parsed by url.Parse
	reqURL, err := common.SafeParseURL("http://" + addr)
	if err != nil {
		pc.httpClientConn.Close()
		pc.authState = HTTP_AUTH_STATE_FAILURE
		return proxyError(fmt.Errorf("failed to parse proxy address: %v", err))
	}
	reqURL.Scheme = ""

	req, err := http.NewRequest("CONNECT", reqURL.String(), nil)
	if err != nil {
		pc.httpClientConn.Close()
		pc.authState = HTTP_AUTH_STATE_FAILURE
		return proxyError(fmt.Errorf("create proxy request: %v", err))
	}
	req.Close = false
	req.Header.Set("User-Agent", "")

	for k, s := range pc.customHeaders {
		// handle special Host header case
		if k == "Host" {
			if len(s) > 0 {
				// hack around 'CONNECT' special case:
				// https://golang.org/src/net/http/request.go#L476
				// using URL.Opaque, see URL.RequestURI() https://golang.org/src/net/url/url.go#L915
				req.URL.Opaque = req.Host
				req.URL.Path = " "
				req.Host = s[0]
			}
		} else {
			req.Header[k] = s
		}
	}

	if pc.authState == HTTP_AUTH_STATE_CHALLENGED {
		err := pc.authenticator.Authenticate(req, pc.authResponse)
		if err != nil {
			pc.authState = HTTP_AUTH_STATE_FAILURE
			// Already wrapped in proxyError
			return err
		}
	}

	resp, err := pc.httpClientConn.Do(req)

	//lint:ignore SA1019 httputil.ClientConn used for client-side hijack
	errPersistEOF := httputil.ErrPersistEOF

	if err != nil && err != errPersistEOF {
		pc.httpClientConn.Close()
		pc.authState = HTTP_AUTH_STATE_FAILURE
		return proxyError(fmt.Errorf("making proxy request: %v", err))
	}

	if resp.StatusCode == 200 {
		pc.authState = HTTP_AUTH_STATE_SUCCESS
		return nil
	}

	if resp.StatusCode == 407 {
		if pc.authState == HTTP_AUTH_STATE_UNCHALLENGED {
			var authErr error
			pc.authenticator, authErr = NewHttpAuthenticator(resp, username, password)
			if authErr != nil {
				pc.httpClientConn.Close()
				pc.authState = HTTP_AUTH_STATE_FAILURE
				// Already wrapped in proxyError
				return authErr
			}
		}

		pc.authState = HTTP_AUTH_STATE_CHALLENGED
		pc.authResponse = resp
		if username == "" {
			pc.httpClientConn.Close()
			pc.authState = HTTP_AUTH_STATE_FAILURE
			return proxyError(fmt.Errorf("no username credentials provided for proxy auth"))
		}
		if err == errPersistEOF {
			// The server may send Connection: close,
			// at this point we just going to create a new
			// ClientConn and continue the handshake
			err = pc.makeNewClientConn()
			if err != nil {
				// Already wrapped in proxyError
				return err
			}
		}

		headers := resp.Header[http.CanonicalHeaderKey("proxy-connection")]
		for _, header := range headers {
			if header == "close" {
				// The server has signaled that it will close the
				// connection. Create a new ClientConn and continue the
				// handshake.
				err = pc.makeNewClientConn()
				if err != nil {
					// Already wrapped in proxyError
					return err
				}
				break
			}
		}

		return nil
	}
	pc.authState = HTTP_AUTH_STATE_FAILURE
	return proxyError(fmt.Errorf("handshake error: %v, response status: %s", err, resp.Status))
}

func (pc *proxyConn) makeNewClientConn() error {
	c, err := pc.dialFn("tcp", pc.proxyAddr)
	if pc.httpClientConn != nil {
		pc.httpClientConn.Close()
	}
	if err != nil {
		return proxyError(fmt.Errorf("makeNewClientConn: %v", err))
	}
	//lint:ignore SA1019 httputil.ClientConn used for client-side hijack
	pc.httpClientConn = httputil.NewClientConn(c, nil)
	return nil
}

func (pc *proxyConn) Read(b []byte) (int, error) {
	if pc.staleReader != nil {
		if pc.staleReader.Buffered() > 0 {
			return pc.staleReader.Read(b)
		}
		pc.staleReader = nil
	}
	return pc.hijackedConn.Read(b)
}

func (pc *proxyConn) Write(b []byte) (int, error) {
	return pc.hijackedConn.Write(b)
}

func (pc *proxyConn) Close() error {
	return pc.hijackedConn.Close()
}

func (pc *proxyConn) LocalAddr() net.Addr {
	return pc.hijackedConn.LocalAddr()
}

// RemoteAddr returns the network address of the proxy that
// the proxyConn is connected to.
func (pc *proxyConn) RemoteAddr() net.Addr {
	// Note: returning nil here can crash "tls".
	return pc.hijackedConn.RemoteAddr()
}

func (pc *proxyConn) SetDeadline(t time.Time) error {
	return proxyError(fmt.Errorf("not supported"))
}

func (pc *proxyConn) SetReadDeadline(t time.Time) error {
	return proxyError(fmt.Errorf("not supported"))
}

func (pc *proxyConn) SetWriteDeadline(t time.Time) error {
	return proxyError(fmt.Errorf("not supported"))
}

func init() {
	proxy.RegisterDialerType("http", newHTTP)
}