[tor-commits] [httpsproxy/master] Integrate utls, forwardproxy/httpclient, cosmetics (#2)

Tue Aug 7 00:27:47 UTC 2018

commit f39e2c48e9a13a286622b7fdd73ca098ab9705f3
Author: sergeyfrolov <sergey.frolov at colorado.edu>
Date:   Mon Aug 6 11:08:28 2018 -0400

    Integrate utls, forwardproxy/httpclient, cosmetics (#2)
    
    Integrate utls, forwardproxy/httpclient, cosmetics
---
 client/client.go | 252 ++++++++++++++-----------------------------------------
 1 file changed, 62 insertions(+), 190 deletions(-)

diff --git a/client/client.go b/client/client.go
index eea871d..c9907c5 100644
--- a/client/client.go
+++ b/client/client.go
@@ -16,9 +16,6 @@
 package main
 
 import (
-	"bufio"
-	"crypto/tls"
-	"encoding/base64"
 	"errors"
 	"flag"
 	"fmt"
@@ -35,10 +32,12 @@ import (
 	"syscall"
 
 	pt "git.torproject.org/pluggable-transports/goptlib.git"
-	"golang.org/x/net/http2"
+	"github.com/caddyserver/forwardproxy/httpclient"
+	tls "github.com/refraction-networking/utls"
 )
 
 var ptInfo pt.ClientInfo
+var utlsRoller *tls.Roller
 
 // When a connection handler starts, +1 is written to this channel; when it
 // ends, -1 is written.
@@ -53,14 +52,13 @@ var handlerChan = make(chan int)
 // Reasoning: http2ResponseWriter will not flush on its own, so we have to do it manually.
 func flushingIoCopy(dst io.Writer, src io.Reader, buf []byte) (written int64, err error) {
 	flusher, ok := dst.(http.Flusher)
-	if !ok {
-		return io.CopyBuffer(dst, src, buf)
-	}
 	for {
 		nr, er := src.Read(buf)
 		if nr > 0 {
 			nw, ew := dst.Write(buf[0:nr])
-			flusher.Flush()
+			if ok {
+				flusher.Flush()
+			}
 			if nw > 0 {
 				written += int64(nw)
 			}
@@ -84,36 +82,18 @@ func flushingIoCopy(dst io.Writer, src io.Reader, buf []byte) (written int64, er
 }
 
 // simple copy loop without padding, works with http/1.1
-// TODO: we can't pad, but we probably can split
 func copyLoop(local, remote net.Conn) {
 	var wg sync.WaitGroup
 	wg.Add(2)
 
+	buf1 := make([]byte, 65536)
+	buf2 := make([]byte, 65536)
 	go func() {
-		io.Copy(remote, local)
+		flushingIoCopy(local, remote, buf1)
 		wg.Done()
 	}()
 	go func() {
-		io.Copy(local, remote)
-		wg.Done()
-	}()
-	// TODO: try not to spawn extra goroutine
-
-	wg.Wait()
-}
-
-func h2copyLoop(w1 io.Writer, r1 io.Reader, w2 io.Writer, r2 io.Reader) {
-	var wg sync.WaitGroup
-	wg.Add(2)
-
-	buf1 := make([]byte, 16384)
-	buf2 := make([]byte, 16384)
-	go func() {
-		flushingIoCopy(w1, r1, buf1)
-		wg.Done()
-	}()
-	go func() {
-		flushingIoCopy(w2, r2, buf2)
+		flushingIoCopy(remote, local, buf2)
 		wg.Done()
 	}()
 	// TODO: try not to spawn extra goroutine
@@ -124,20 +104,20 @@ func h2copyLoop(w1 io.Writer, r1 io.Reader, w2 io.Writer, r2 io.Reader) {
 func parseTCPAddr(s string) (*net.TCPAddr, error) {
 	hostStr, portStr, err := net.SplitHostPort(s)
 	if err != nil {
-		fmt.Printf("net.SplitHostPort(%s) failed: %+v", s, err)
+		log.Printf("net.SplitHostPort(%s) failed: %+v", s, err)
 		return nil, err
 	}
 
 	port, err := strconv.Atoi(portStr)
 	if err != nil {
-		fmt.Printf("strconv.Atoi(%s) failed: %+v", portStr, err)
+		log.Printf("strconv.Atoi(%s) failed: %+v", portStr, err)
 		return nil, err
 	}
 
 	ip := net.ParseIP(hostStr)
 	if ip == nil {
 		err = errors.New("net.ParseIP(" + s + ") returned nil")
-		fmt.Printf("%+v\n", err)
+		log.Printf("%+v\n", err)
 		return nil, err
 	}
 
@@ -155,6 +135,7 @@ func handler(conn *pt.SocksConn) error {
 
 	guardTCPAddr, err := parseTCPAddr(conn.Req.Target)
 	if err != nil {
+		log.Println(err)
 		conn.Reject()
 		return err
 	}
@@ -162,23 +143,51 @@ func handler(conn *pt.SocksConn) error {
 	webproxyUrlArg, ok := conn.Req.Args.Get("url")
 	if !ok {
 		err := errors.New("address of webproxy in form of `url=https://username:password@example.com` is required")
+		log.Println(err)
 		conn.Reject()
 		return err
 	}
 
-	httpsClient, err := NewHTTPSClient(webproxyUrlArg)
+	proxyUrl, err := url.Parse(webproxyUrlArg)
 	if err != nil {
-		log.Printf("NewHTTPSClient(%s, nil) failed: %s\n", webproxyUrlArg, err)
+		log.Println(err)
+		conn.Reject()
+		return err
+	}
+
+	if proxyUrl.Scheme != "https" {
+		err = errors.New("Scheme " + proxyUrl.Scheme + " is not supported")
+		log.Println(err)
 		conn.Reject()
 		return err
 	}
 
-	err = httpsClient.Connect(conn.Req.Target)
+	if proxyUrl.Host == "" {
+		conn.Reject()
+		return errors.New("misparsed `url=`, make sure to specify full url like https://username:password@hostname.com:443/")
+	}
+
+	if proxyUrl.Port() == "" {
+		proxyUrl.Host = net.JoinHostPort(proxyUrl.Host, "443")
+	}
+
+	dialer, err := httpclient.NewHTTPConnectDialer(webproxyUrlArg)
 	if err != nil {
-		log.Printf("httpsClient.Connect(%s, nil) failed: %s\n", conn.Req.Target, err)
+		log.Printf("httpclient.NewHTTPConnectDialer(%s) failed: %s\n", webproxyUrlArg, err)
 		conn.Reject()
 		return err
 	}
+	dialer.DialTLS = func(network string, address string) (net.Conn, string, error) {
+		host, _, err := net.SplitHostPort(address)
+		if err != nil {
+			return nil, "", err
+		}
+		conn, err := utlsRoller.Dial(network, address, host)
+		if err != nil {
+			return nil, "", err
+		}
+		return conn, conn.ConnectionState().NegotiatedProtocol, nil
+	}
 
 	err = conn.Grant(guardTCPAddr)
 	if err != nil {
@@ -187,7 +196,15 @@ func handler(conn *pt.SocksConn) error {
 		return err
 	}
 
-	return httpsClient.CopyLoop(conn)
+	remoteConn, err := dialer.Dial("tcp", conn.Req.Target)
+	if err != nil {
+		log.Printf("dialer.Dial(%s) failed: %s\n", conn.Req.Target, err)
+		conn.Reject()
+		return err
+	}
+
+	copyLoop(conn, remoteConn)
+	return nil
 }
 
 func acceptLoop(ln *pt.SocksListener) error {
@@ -231,6 +248,13 @@ func main() {
 		log.SetOutput(f)
 	}
 
+	utlsRoller, err = tls.NewRoller()
+	if err != nil {
+		pt.CmethodError("httpsproxy",
+			fmt.Sprintf("could not creat utls.Roller: %v", err))
+		os.Exit(3)
+	}
+
 	listeners := make([]net.Listener, 0)
 	for _, methodName := range ptInfo.MethodNames {
 		switch methodName {
@@ -282,155 +306,3 @@ func main() {
 		numHandlers += <-handlerChan
 	}
 }
-
-type HTTPConnectClient struct {
-	Header    http.Header
-	ProxyHost string
-	TlsConf   tls.Config
-
-	Conn *tls.Conn
-
-	In  io.Writer
-	Out io.Reader
-}
-
-// NewHTTPSClient creates one-time use client to tunnel traffic via HTTPS proxy.
-// If spkiFp is set, HTTPSClient will use it as SPKI fingerprint to confirm identity of the
-// proxy, instead of relying on standard PKI CA roots
-func NewHTTPSClient(proxyUrlStr string) (*HTTPConnectClient, error) {
-	proxyUrl, err := url.Parse(proxyUrlStr)
-	if err != nil {
-		return nil, err
-	}
-
-	switch proxyUrl.Scheme {
-	case "http", "":
-		fallthrough
-	default:
-		return nil, errors.New("Scheme " + proxyUrl.Scheme + " is not supported")
-	case "https":
-	}
-
-	if proxyUrl.Host == "" {
-		return nil, errors.New("misparsed `url=`, make sure to specify full url like https://username:password@hostname.com:443/")
-	}
-
-	if proxyUrl.Port() == "" {
-		proxyUrl.Host = net.JoinHostPort(proxyUrl.Host, "443")
-	}
-
-	tlsConf := tls.Config{
-		NextProtos: []string{"h2", "http/1.1"},
-		ServerName: proxyUrl.Hostname(),
-	}
-
-	client := &HTTPConnectClient{
-		Header:    make(http.Header),
-		ProxyHost: proxyUrl.Host,
-		TlsConf:   tlsConf,
-	}
-
-	if proxyUrl.User.Username() != "" {
-		password, _ := proxyUrl.User.Password()
-		client.Header.Set("Proxy-Authorization", "Basic "+
-			base64.StdEncoding.EncodeToString([]byte(proxyUrl.User.Username()+":"+password)))
-	}
-	return client, nil
-}
-
-func (c *HTTPConnectClient) Connect(target string) error {
-	req := &http.Request{
-		Method: "CONNECT",
-		URL:    &url.URL{Host: target},
-		Header: c.Header,
-		Host:   target,
-	}
-
-	tcpConn, err := net.Dial("tcp", c.ProxyHost)
-	if err != nil {
-		return err
-	}
-
-	c.Conn = tls.Client(tcpConn, &c.TlsConf)
-
-	err = c.Conn.Handshake()
-	if err != nil {
-		return err
-	}
-
-	var resp *http.Response
-	switch c.Conn.ConnectionState().NegotiatedProtocol {
-	case "":
-		fallthrough
-	case "http/1.1":
-		req.Proto = "HTTP/1.1"
-		req.ProtoMajor = 1
-		req.ProtoMinor = 1
-
-		err = req.Write(c.Conn)
-		if err != nil {
-			c.Conn.Close()
-			return err
-		}
-
-		resp, err = http.ReadResponse(bufio.NewReader(c.Conn), req)
-		if err != nil {
-			c.Conn.Close()
-			return err
-		}
-
-		c.In = c.Conn
-		c.Out = c.Conn
-	case "h2":
-		req.Proto = "HTTP/2.0"
-		req.ProtoMajor = 2
-		req.ProtoMinor = 0
-		pr, pw := io.Pipe()
-		req.Body = ioutil.NopCloser(pr)
-
-		t := http2.Transport{}
-		h2client, err := t.NewClientConn(c.Conn)
-		if err != nil {
-			c.Conn.Close()
-			return err
-		}
-
-		resp, err = h2client.RoundTrip(req)
-		if err != nil {
-			c.Conn.Close()
-			return err
-		}
-
-		c.In = pw
-		c.Out = resp.Body
-	default:
-		c.Conn.Close()
-		return errors.New("negotiated unsupported application layer protocol: " +
-			c.Conn.ConnectionState().NegotiatedProtocol)
-	}
-
-	if resp.StatusCode != http.StatusOK {
-		c.Conn.Close()
-		return errors.New("Proxy responded with non 200 code: " + resp.Status)
-	}
-
-	return nil
-}
-
-func (c *HTTPConnectClient) CopyLoop(conn net.Conn) error {
-	defer c.Conn.Close()
-	defer conn.Close()
-
-	switch c.Conn.ConnectionState().NegotiatedProtocol {
-	case "":
-		fallthrough
-	case "http/1.1":
-		copyLoop(conn, c.Conn)
-	case "h2":
-		h2copyLoop(c.In, conn, conn, c.Out)
-	default:
-		return errors.New("negotiated unsupported application layer protocol: " +
-			c.Conn.ConnectionState().NegotiatedProtocol)
-	}
-	return nil
-}

