fix(handler/socks5): RFC 1928 compliance — method negotiation, BND.ADDR, UDP ordering, and safe type assertions
- selector.go: Select() now only returns methods the client actually offered, defaulting to MethodNoAcceptable (0xFF) when no mutually-supported method exists. Prevents protocol desync when authenticator is set but client doesn't offer UserPass. (#1, #2) - connect.go: CONNECT success reply now carries the outbound connection's actual local address as BND.ADDR per RFC 1928 §6, instead of 0.0.0.0:0. (#4) - udp.go: UDP ASSOCIATE now verifies the upstream chain is reachable before sending Success to the client; on failure sends a proper Failure reply. Also adds safe type assertions for net.TCPAddr and net.UDPAddr to prevent panics on wrapped connections, and returns errors on DNS resolution failure instead of silently dropping datagrams. (#5, #1, #2, #3)
This commit is contained in:
@@ -27,25 +27,42 @@ func (selector *serverSelector) Methods() []uint8 {
|
||||
|
||||
func (s *serverSelector) Select(methods ...uint8) (method uint8) {
|
||||
s.logger.Debugf("%d %d %v", gosocks5.Ver5, len(methods), methods)
|
||||
method = gosocks5.MethodNoAuth
|
||||
|
||||
// Determine which methods the client offered.
|
||||
var hasNoAuth, hasUserPass, hasTLS, hasTLSAuth bool
|
||||
for _, m := range methods {
|
||||
if m == socks.MethodTLS && !s.noTLS && s.TLSConfig != nil {
|
||||
method = m
|
||||
break
|
||||
switch m {
|
||||
case gosocks5.MethodNoAuth:
|
||||
hasNoAuth = true
|
||||
case gosocks5.MethodUserPass:
|
||||
hasUserPass = true
|
||||
case socks.MethodTLS:
|
||||
hasTLS = true
|
||||
case socks.MethodTLSAuth:
|
||||
hasTLSAuth = true
|
||||
}
|
||||
}
|
||||
|
||||
// when Authenticator is set, auth is mandatory
|
||||
// When Authenticator is set, authentication is mandatory.
|
||||
if s.Authenticator != nil {
|
||||
if method == gosocks5.MethodNoAuth {
|
||||
method = gosocks5.MethodUserPass
|
||||
if hasTLSAuth && !s.noTLS && s.TLSConfig != nil {
|
||||
return socks.MethodTLSAuth
|
||||
}
|
||||
if method == socks.MethodTLS && !s.noTLS {
|
||||
method = socks.MethodTLSAuth
|
||||
if hasUserPass {
|
||||
return gosocks5.MethodUserPass
|
||||
}
|
||||
return gosocks5.MethodNoAcceptable
|
||||
}
|
||||
|
||||
return
|
||||
// No authenticator — select the best unauthenticated method.
|
||||
if hasTLS && !s.noTLS && s.TLSConfig != nil {
|
||||
return socks.MethodTLS
|
||||
}
|
||||
if hasNoAuth {
|
||||
return gosocks5.MethodNoAuth
|
||||
}
|
||||
|
||||
return gosocks5.MethodNoAcceptable
|
||||
}
|
||||
|
||||
func (s *serverSelector) OnSelected(method uint8, conn net.Conn) (string, net.Conn, error) {
|
||||
|
||||
Reference in New Issue
Block a user