add pkgs from core

2022-04-04 12:44:35 +08:00
parent 7eb3687e0e
commit a3346ad246
188 changed files with 6084 additions and 283 deletions
--- a/internal/util/matcher/matcher.go
+++ b/internal/util/matcher/matcher.go
@ -0,0 +1,99 @@
+package matcher
+
+import (
+	"net"
+	"strings"
+
+	"github.com/gobwas/glob"
+)
+
+// Matcher is a generic pattern matcher,
+// it gives the match result of the given pattern for specific v.
+type Matcher interface {
+	Match(v string) bool
+}
+
+// NewMatcher creates a Matcher for the given pattern.
+// The acutal Matcher depends on the pattern:
+// IP Matcher if pattern is a valid IP address.
+// CIDR Matcher if pattern is a valid CIDR address.
+// Domain Matcher if both of the above are not.
+func NewMatcher(pattern string) Matcher {
+	if pattern == "" {
+		return nil
+	}
+	if ip := net.ParseIP(pattern); ip != nil {
+		return IPMatcher(ip)
+	}
+	if _, inet, err := net.ParseCIDR(pattern); err == nil {
+		return CIDRMatcher(inet)
+	}
+	return DomainMatcher(pattern)
+}
+
+type ipMatcher struct {
+	ip net.IP
+}
+
+// IPMatcher creates a Matcher for a specific IP address.
+func IPMatcher(ip net.IP) Matcher {
+	return &ipMatcher{
+		ip: ip,
+	}
+}
+
+func (m *ipMatcher) Match(ip string) bool {
+	if m == nil {
+		return false
+	}
+	return m.ip.Equal(net.ParseIP(ip))
+}
+
+type cidrMatcher struct {
+	ipNet *net.IPNet
+}
+
+// CIDRMatcher creates a Matcher for a specific CIDR notation IP address.
+func CIDRMatcher(inet *net.IPNet) Matcher {
+	return &cidrMatcher{
+		ipNet: inet,
+	}
+}
+
+func (m *cidrMatcher) Match(ip string) bool {
+	if m == nil || m.ipNet == nil {
+		return false
+	}
+	return m.ipNet.Contains(net.ParseIP(ip))
+}
+
+type domainMatcher struct {
+	pattern string
+	glob    glob.Glob
+}
+
+// DomainMatcher creates a Matcher for a specific domain pattern,
+// the pattern can be a plain domain such as 'example.com',
+// a wildcard such as '*.exmaple.com' or a special wildcard '.example.com'.
+func DomainMatcher(pattern string) Matcher {
+	p := pattern
+	if strings.HasPrefix(pattern, ".") {
+		p = pattern[1:] // trim the prefix '.'
+		pattern = "*" + p
+	}
+	return &domainMatcher{
+		pattern: p,
+		glob:    glob.MustCompile(pattern),
+	}
+}
+
+func (m *domainMatcher) Match(domain string) bool {
+	if m == nil || m.glob == nil {
+		return false
+	}
+
+	if domain == m.pattern {
+		return true
+	}
+	return m.glob.Match(domain)
+}
--- a/internal/util/resolver/cache.go
+++ b/internal/util/resolver/cache.go
@ -0,0 +1,88 @@
+package resolver
+
+import (
+	"fmt"
+	"sync"
+	"time"
+
+	"github.com/go-gost/core/logger"
+	"github.com/miekg/dns"
+)
+
+type CacheKey string
+
+// NewCacheKey generates resolver cache key from question of dns query.
+func NewCacheKey(q *dns.Question) CacheKey {
+	if q == nil {
+		return ""
+	}
+	key := fmt.Sprintf("%s%s.%s", q.Name, dns.Class(q.Qclass).String(), dns.Type(q.Qtype).String())
+	return CacheKey(key)
+}
+
+type cacheItem struct {
+	msg *dns.Msg
+	ts  time.Time
+	ttl time.Duration
+}
+
+type Cache struct {
+	m      sync.Map
+	logger logger.Logger
+}
+
+func NewCache() *Cache {
+	return &Cache{}
+}
+
+func (c *Cache) WithLogger(logger logger.Logger) *Cache {
+	c.logger = logger
+	return c
+}
+
+func (c *Cache) Load(key CacheKey) *dns.Msg {
+	v, ok := c.m.Load(key)
+	if !ok {
+		return nil
+	}
+
+	item, ok := v.(*cacheItem)
+	if !ok {
+		return nil
+	}
+
+	if time.Since(item.ts) > item.ttl {
+		c.m.Delete(key)
+		return nil
+	}
+
+	c.logger.Debugf("hit resolver cache: %s", key)
+
+	return item.msg.Copy()
+}
+
+func (c *Cache) Store(key CacheKey, mr *dns.Msg, ttl time.Duration) {
+	if key == "" || mr == nil || ttl < 0 {
+		return
+	}
+
+	if ttl == 0 {
+		for _, answer := range mr.Answer {
+			v := time.Duration(answer.Header().Ttl) * time.Second
+			if ttl == 0 || ttl > v {
+				ttl = v
+			}
+		}
+	}
+	if ttl == 0 {
+		ttl = 30 * time.Second
+	}
+
+	c.m.Store(key, &cacheItem{
+		msg: mr.Copy(),
+		ts:  time.Now(),
+		ttl: ttl,
+	})
+
+	c.logger.Debugf("resolver cache store: %s, ttl: %v", key, ttl)
+}
--- a/internal/util/resolver/resolver.go
+++ b/internal/util/resolver/resolver.go
@ -0,0 +1,30 @@
+package resolver
+
+import (
+	"net"
+
+	"github.com/miekg/dns"
+)
+
+func AddSubnetOpt(m *dns.Msg, ip net.IP) {
+	if m == nil || ip == nil {
+		return
+	}
+
+	opt := new(dns.OPT)
+	opt.Hdr.Name = "."
+	opt.Hdr.Rrtype = dns.TypeOPT
+	e := new(dns.EDNS0_SUBNET)
+	e.Code = dns.EDNS0SUBNET
+	if ip := ip.To4(); ip != nil {
+		e.Family = 1
+		e.SourceNetmask = 24
+		e.Address = ip
+	} else {
+		e.Family = 2
+		e.SourceNetmask = 128
+		e.Address = ip.To16()
+	}
+	opt.Option = append(opt.Option, e)
+	m.Extra = append(m.Extra, opt)
+}
--- a/internal/util/socks/conn.go
+++ b/internal/util/socks/conn.go
@ -0,0 +1,172 @@
+package socks
+
+import (
+	"bytes"
+	"net"
+
+	"github.com/go-gost/core/common/bufpool"
+	"github.com/go-gost/gosocks5"
+)
+
+type udpTunConn struct {
+	net.Conn
+	taddr net.Addr
+}
+
+func UDPTunClientConn(c net.Conn, targetAddr net.Addr) net.Conn {
+	return &udpTunConn{
+		Conn:  c,
+		taddr: targetAddr,
+	}
+}
+
+func UDPTunClientPacketConn(c net.Conn) net.PacketConn {
+	return &udpTunConn{
+		Conn: c,
+	}
+}
+
+func UDPTunServerConn(c net.Conn) net.PacketConn {
+	return &udpTunConn{
+		Conn: c,
+	}
+}
+
+func (c *udpTunConn) ReadFrom(b []byte) (n int, addr net.Addr, err error) {
+	socksAddr := gosocks5.Addr{}
+	header := gosocks5.UDPHeader{
+		Addr: &socksAddr,
+	}
+	dgram := gosocks5.UDPDatagram{
+		Header: &header,
+		Data:   b,
+	}
+	_, err = dgram.ReadFrom(c.Conn)
+	if err != nil {
+		return
+	}
+
+	n = len(dgram.Data)
+	if n > len(b) {
+		n = copy(b, dgram.Data)
+	}
+	addr, err = net.ResolveUDPAddr("udp", socksAddr.String())
+
+	return
+}
+
+func (c *udpTunConn) Read(b []byte) (n int, err error) {
+	n, _, err = c.ReadFrom(b)
+	return
+}
+
+func (c *udpTunConn) WriteTo(b []byte, addr net.Addr) (n int, err error) {
+	socksAddr := gosocks5.Addr{}
+	if err = socksAddr.ParseFrom(addr.String()); err != nil {
+		return
+	}
+
+	header := gosocks5.UDPHeader{
+		Addr: &socksAddr,
+	}
+	dgram := gosocks5.UDPDatagram{
+		Header: &header,
+		Data:   b,
+	}
+	dgram.Header.Rsv = uint16(len(dgram.Data))
+	dgram.Header.Frag = 0xff // UDP tun relay flag, used by shadowsocks
+	_, err = dgram.WriteTo(c.Conn)
+	n = len(b)
+
+	return
+}
+
+func (c *udpTunConn) Write(b []byte) (n int, err error) {
+	return c.WriteTo(b, c.taddr)
+}
+
+var (
+	DefaultBufferSize = 4096
+)
+
+type udpConn struct {
+	net.PacketConn
+	raddr      net.Addr
+	taddr      net.Addr
+	bufferSize int
+}
+
+func UDPConn(c net.PacketConn, bufferSize int) net.PacketConn {
+	return &udpConn{
+		PacketConn: c,
+		bufferSize: bufferSize,
+	}
+}
+
+// ReadFrom reads an UDP datagram.
+// NOTE: for server side,
+// the returned addr is the target address the client want to relay to.
+func (c *udpConn) ReadFrom(b []byte) (n int, addr net.Addr, err error) {
+	rbuf := bufpool.Get(c.bufferSize)
+	defer bufpool.Put(rbuf)
+
+	n, c.raddr, err = c.PacketConn.ReadFrom(*rbuf)
+	if err != nil {
+		return
+	}
+
+	socksAddr := gosocks5.Addr{}
+	header := gosocks5.UDPHeader{
+		Addr: &socksAddr,
+	}
+	hlen, err := header.ReadFrom(bytes.NewReader((*rbuf)[:n]))
+	if err != nil {
+		return
+	}
+	n = copy(b, (*rbuf)[hlen:n])
+
+	addr, err = net.ResolveUDPAddr("udp", socksAddr.String())
+	return
+}
+
+func (c *udpConn) Read(b []byte) (n int, err error) {
+	n, _, err = c.ReadFrom(b)
+	return
+}
+
+func (c *udpConn) WriteTo(b []byte, addr net.Addr) (n int, err error) {
+	wbuf := bufpool.Get(c.bufferSize)
+	defer bufpool.Put(wbuf)
+
+	socksAddr := gosocks5.Addr{}
+	if err = socksAddr.ParseFrom(addr.String()); err != nil {
+		return
+	}
+
+	header := gosocks5.UDPHeader{
+		Addr: &socksAddr,
+	}
+	dgram := gosocks5.UDPDatagram{
+		Header: &header,
+		Data:   b,
+	}
+
+	buf := bytes.NewBuffer((*wbuf)[:0])
+	_, err = dgram.WriteTo(buf)
+	if err != nil {
+		return
+	}
+
+	_, err = c.PacketConn.WriteTo(buf.Bytes(), c.raddr)
+	n = len(b)
+
+	return
+}
+
+func (c *udpConn) Write(b []byte) (n int, err error) {
+	return c.WriteTo(b, c.taddr)
+}
+
+func (c *udpConn) RemoteAddr() net.Addr {
+	return c.raddr
+}
--- a/internal/util/socks/socks.go
+++ b/internal/util/socks/socks.go
@ -0,0 +1,18 @@
+package socks
+
+const (
+	// MethodTLS is an extended SOCKS5 method with tls encryption support.
+	MethodTLS uint8 = 0x80
+	// MethodTLSAuth is an extended SOCKS5 method with tls encryption and authentication support.
+	MethodTLSAuth uint8 = 0x82
+	// MethodMux is an extended SOCKS5 method for stream multiplexing.
+	MethodMux = 0x88
+)
+
+const (
+	// CmdMuxBind is an extended SOCKS5 request CMD for
+	// multiplexing transport with the binding server.
+	CmdMuxBind uint8 = 0xF2
+	// CmdUDPTun is an extended SOCKS5 request CMD for UDP over TCP.
+	CmdUDPTun uint8 = 0xF3
+)
--- a/internal/util/tls/tls.go
+++ b/internal/util/tls/tls.go
@ -0,0 +1,173 @@
+package tls
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"errors"
+	"io/ioutil"
+	"net"
+	"time"
+)
+
+// LoadServerConfig loads the certificate from cert & key files and optional client CA file.
+func LoadServerConfig(certFile, keyFile, caFile string) (*tls.Config, error) {
+	if certFile == "" && keyFile == "" {
+		return nil, nil
+	}
+
+	cert, err := tls.LoadX509KeyPair(certFile, keyFile)
+	if err != nil {
+		return nil, err
+	}
+
+	cfg := &tls.Config{Certificates: []tls.Certificate{cert}}
+
+	pool, err := loadCA(caFile)
+	if err != nil {
+		return nil, err
+	}
+	if pool != nil {
+		cfg.ClientCAs = pool
+		cfg.ClientAuth = tls.RequireAndVerifyClientCert
+	}
+
+	return cfg, nil
+}
+
+// LoadClientConfig loads the certificate from cert & key files and optional CA file.
+func LoadClientConfig(certFile, keyFile, caFile string, verify bool, serverName string) (*tls.Config, error) {
+	var cfg *tls.Config
+
+	if certFile == "" && keyFile == "" {
+		cfg = &tls.Config{}
+	} else {
+		cert, err := tls.LoadX509KeyPair(certFile, keyFile)
+		if err != nil {
+			return nil, err
+		}
+
+		cfg = &tls.Config{
+			Certificates: []tls.Certificate{cert},
+		}
+	}
+
+	rootCAs, err := loadCA(caFile)
+	if err != nil {
+		return nil, err
+	}
+
+	cfg.RootCAs = rootCAs
+	cfg.ServerName = serverName
+	cfg.InsecureSkipVerify = !verify
+
+	// If the root ca is given, but skip verify, we verify the certificate manually.
+	if cfg.RootCAs != nil && !verify {
+		cfg.VerifyConnection = func(state tls.ConnectionState) error {
+			opts := x509.VerifyOptions{
+				Roots:         cfg.RootCAs,
+				CurrentTime:   time.Now(),
+				DNSName:       "",
+				Intermediates: x509.NewCertPool(),
+			}
+
+			certs := state.PeerCertificates
+			for i, cert := range certs {
+				if i == 0 {
+					continue
+				}
+				opts.Intermediates.AddCert(cert)
+			}
+
+			_, err := certs[0].Verify(opts)
+			return err
+		}
+	}
+
+	return cfg, nil
+}
+
+func loadCA(caFile string) (cp *x509.CertPool, err error) {
+	if caFile == "" {
+		return
+	}
+	cp = x509.NewCertPool()
+	data, err := ioutil.ReadFile(caFile)
+	if err != nil {
+		return nil, err
+	}
+	if !cp.AppendCertsFromPEM(data) {
+		return nil, errors.New("AppendCertsFromPEM failed")
+	}
+	return
+}
+
+// Wrap a net.Conn into a client tls connection, performing any
+// additional verification as needed.
+//
+// As of go 1.3, crypto/tls only supports either doing no certificate
+// verification, or doing full verification including of the peer's
+// DNS name. For consul, we want to validate that the certificate is
+// signed by a known CA, but because consul doesn't use DNS names for
+// node names, we don't verify the certificate DNS names. Since go 1.3
+// no longer supports this mode of operation, we have to do it
+// manually.
+//
+// This code is taken from consul:
+// https://github.com/hashicorp/consul/blob/master/tlsutil/config.go
+func WrapTLSClient(conn net.Conn, tlsConfig *tls.Config, timeout time.Duration) (net.Conn, error) {
+	var err error
+	var tlsConn *tls.Conn
+
+	if timeout > 0 {
+		conn.SetDeadline(time.Now().Add(timeout))
+		defer conn.SetDeadline(time.Time{})
+	}
+
+	tlsConn = tls.Client(conn, tlsConfig)
+
+	// Otherwise perform handshake, but don't verify the domain
+	//
+	// The following is lightly-modified from the doFullHandshake
+	// method in https://golang.org/src/crypto/tls/handshake_client.go
+	if err = tlsConn.Handshake(); err != nil {
+		tlsConn.Close()
+		return nil, err
+	}
+
+	// We can do this in `tls.Config.VerifyConnection`, which effective for
+	// other TLS protocols such as WebSocket. See `route.go:parseChainNode`
+	/*
+		// If crypto/tls is doing verification, there's no need to do our own.
+		if tlsConfig.InsecureSkipVerify == false {
+			return tlsConn, nil
+		}
+
+		// Similarly if we use host's CA, we can do full handshake
+		if tlsConfig.RootCAs == nil {
+			return tlsConn, nil
+		}
+
+		opts := x509.VerifyOptions{
+			Roots:         tlsConfig.RootCAs,
+			CurrentTime:   time.Now(),
+			DNSName:       "",
+			Intermediates: x509.NewCertPool(),
+		}
+
+		certs := tlsConn.ConnectionState().PeerCertificates
+		for i, cert := range certs {
+			if i == 0 {
+				continue
+			}
+			opts.Intermediates.AddCert(cert)
+		}
+
+		_, err = certs[0].Verify(opts)
+		if err != nil {
+			tlsConn.Close()
+			return nil, err
+		}
+	*/
+
+	return tlsConn, err
+}