Bypassing disallowed ports in SOCKS proxy

getlantern · May 26, 2016 · e33b07f · e33b07f
1 parent 0197842
commit e33b07f
Show file tree

Hide file tree

Showing 5 changed files with 71 additions and 50 deletions.
diff --git a/src/github.com/getlantern/flashlight/client/client.go b/src/github.com/getlantern/flashlight/client/client.go
@@ -5,16 +5,17 @@ import (
 	"net"
 	"net/http"
 	"reflect"
+	"strconv"
 	"strings"
 	"sync"
 	"sync/atomic"
 	"time"
 
 	"github.com/armon/go-socks5"
-	"github.com/getlantern/balancer"
 	"github.com/getlantern/detour"
 	"github.com/getlantern/eventual"
 	"github.com/getlantern/golog"
+	"github.com/getlantern/protected"
 )
 
 const (
@@ -139,14 +140,11 @@ func (client *Client) ListenAndServeSOCKS5(requestedAddr string) error {
 
 	conf := &socks5.Config{
 		Dial: func(network, addr string) (net.Conn, error) {
-			bal, ok := client.bal.Get(1 * time.Minute)
-			if !ok {
-				return nil, fmt.Errorf("Unable to get balancer")
+			port, err := client.portForAddress(addr)
+			if err != nil {
+				return nil, err
 			}
-			// Using protocol "connect" will cause the balancer to issue an HTTP
-			// CONNECT request to the upstream proxy and return the resulting channel
-			// as a connection.
-			return bal.(*balancer.Balancer).Dial("connect", addr)
+			return client.dialCONNECT(addr, port)
 		},
 	}
 	server, err := socks5.New(conf)
@@ -219,6 +217,47 @@ func (client *Client) proxiedDialer(orig func(network, addr string) (net.Conn, e
 	}
 }
 
+func (client *Client) dialCONNECT(addr string, port int) (net.Conn, error) {
+	// Establish outbound connection
+	if client.shouldSendToProxy(port) {
+		log.Tracef("Proxying CONNECT request for %v", addr)
+		d := client.proxiedDialer(func(network, addr string) (net.Conn, error) {
+			// UGLY HACK ALERT! In this case, we know we need to send a CONNECT request
+			// to the chained server. We need to send that request from chained/dialer.go
+			// though because only it knows about the authentication token to use.
+			// We signal it to send the CONNECT here using the network transport argument
+			// that is effectively always "tcp" in the end, but we look for this
+			// special "transport" in the dialer and send a CONNECT request in that
+			// case.
+			return client.getBalancer().Dial("connect", addr)
+		})
+		return d("tcp", addr)
+	}
+	log.Tracef("Port not allowed, bypassing proxy and sending CONNECT request directly to %v", addr)
+	return protected.Dial("tcp", addr, 1*time.Minute)
+}
+
+func (client *Client) shouldSendToProxy(port int) bool {
+	for _, proxiedPort := range client.cfg().ProxiedCONNECTPorts {
+		if port == proxiedPort {
+			return true
+		}
+	}
+	return false
+}
+
+func (client *Client) portForAddress(addr string) (int, error) {
+	_, portString, err := net.SplitHostPort(addr)
+	if err != nil {
+		return 0, fmt.Errorf("Unable to determine port for address %v: %v", addr, err)
+	}
+	port, err := strconv.Atoi(portString)
+	if err != nil {
+		return 0, fmt.Errorf("Unable to parse port %v for address %v: %v", addr, port, err)
+	}
+	return port, nil
+}
+
 func isLanternSpecialDomain(addr string) bool {
 	return strings.Index(addr, lanternSpecialDomainWithColon) == 0
 }

diff --git a/src/github.com/getlantern/flashlight/client/handler.go b/src/github.com/getlantern/flashlight/client/handler.go
@@ -41,20 +41,14 @@ func (client *Client) ServeHTTP(resp http.ResponseWriter, req *http.Request) {
 // connection and starts piping the data over a new net.Conn obtained from the
 // given dial function.
 func (client *Client) intercept(resp http.ResponseWriter, req *http.Request) {
-
 	if req.Method != httpConnectMethod {
 		panic("Intercept used for non-CONNECT request!")
 	}
 
 	addr := hostIncludingPort(req, 443)
-	_, portString, err := net.SplitHostPort(addr)
+	port, err := client.portForAddress(addr)
 	if err != nil {
-		respondBadGateway(resp, fmt.Sprintf("Unable to determine port for address %v: %v", addr, err))
-		return
-	}
-	port, err := strconv.Atoi(portString)
-	if err != nil {
-		respondBadGateway(resp, fmt.Sprintf("Unable to parse port %v for address %v: %v", addr, port, err))
+		respondBadGateway(resp, err.Error())
 		return
 	}
 
@@ -89,33 +83,7 @@ func (client *Client) intercept(resp http.ResponseWriter, req *http.Request) {
 		return
 	}
 
-	sendToProxy := false
-	for _, proxiedPort := range client.cfg().ProxiedCONNECTPorts {
-		if port == proxiedPort {
-			sendToProxy = true
-			break
-		}
-	}
-
-	// Establish outbound connection
-	if sendToProxy {
-		log.Tracef("Proxying CONNECT request for %v", addr)
-		d := client.proxiedDialer(func(network, addr string) (net.Conn, error) {
-			// UGLY HACK ALERT! In this case, we know we need to send a CONNECT request
-			// to the chained server. We need to send that request from chained/dialer.go
-			// though because only it knows about the authentication token to use.
-			// We signal it to send the CONNECT here using the network transport argument
-			// that is effectively always "tcp" in the end, but we look for this
-			// special "transport" in the dialer and send a CONNECT request in that
-			// case.
-			return client.getBalancer().Dial("connect", addr)
-		})
-		connOut, err = d("tcp", addr)
-	} else {
-		log.Tracef("Port not allowed, bypassing proxy and sending CONNECT request directly to %v", addr)
-		connOut, err = net.Dial("tcp", addr)
-	}
-
+	connOut, err = client.dialCONNECT(addr, port)
 	if err != nil {
 		log.Debugf("Could not dial %v", err)
 		respondBadGatewayHijacked(clientConn, req)

diff --git a/src/github.com/getlantern/lantern-mobile/.idea/compiler.xml b/src/github.com/getlantern/lantern-mobile/.idea/compiler.xml
diff --git a/src/github.com/getlantern/lantern-mobile/.idea/modules.xml b/src/github.com/getlantern/lantern-mobile/.idea/modules.xml
diff --git a/src/github.com/getlantern/protected/protected.go b/src/github.com/getlantern/protected/protected.go
@@ -39,20 +39,25 @@ var (
 	log              = golog.LoggerFor("lantern-android.protected")
 	currentProtect   Protect
 	currentDnsServer string
+	mutex            sync.RWMutex
 )
 
 func Configure(protect Protect, dnsServer string) {
+	mutex.Lock()
 	currentProtect = protect
 	if dnsServer != "" {
 		currentDnsServer = dnsServer
 	} else {
 		dnsServer = defaultDnsServer
 	}
+	mutex.Unlock()
 }
 
 // Resolve resolves the given address using a DNS lookup on a UDP socket
-// protected by the currnet Protector.
+// protected by the current Protector.
 func Resolve(addr string) (*net.TCPAddr, error) {
+	protect, dnsServer := getCurrent()
+
 	host, port, err := SplitHostPort(addr)
 	if err != nil {
 		return nil, err
@@ -74,12 +79,12 @@ func Resolve(addr string) (*net.TCPAddr, error) {
 	// Here we protect the underlying socket from the
 	// VPN connection by passing the file descriptor
 	// back to Java for exclusion
-	err = currentProtect(socketFd)
+	err = protect(socketFd)
 	if err != nil {
 		return nil, fmt.Errorf("Could not bind socket to system device: %v", err)
 	}
 
-	IPAddr = net.ParseIP(currentDnsServer)
+	IPAddr = net.ParseIP(dnsServer)
 	if IPAddr == nil {
 		return nil, errors.New("invalid IP address")
 	}
@@ -127,6 +132,11 @@ func Resolve(addr string) (*net.TCPAddr, error) {
 //   specified system device (this is primarily
 //   used for Android VpnService routing functionality)
 func Dial(network, addr string, timeout time.Duration) (net.Conn, error) {
+	protect, _ := getCurrent()
+	if protect == nil {
+		return net.DialTimeout(network, addr, timeout)
+	}
+
 	host, port, err := SplitHostPort(addr)
 	if err != nil {
 		return nil, err
@@ -154,7 +164,7 @@ func Dial(network, addr string, timeout time.Duration) (net.Conn, error) {
 	defer conn.cleanup()
 
 	// Actually protect the underlying socket here
-	err = currentProtect(conn.socketFd)
+	err = protect(conn.socketFd)
 	if err != nil {
 		return nil, fmt.Errorf("Could not bind socket to system device: %v", err)
 	}
@@ -269,3 +279,9 @@ func SplitHostPort(addr string) (string, int, error) {
 	}
 	return host, port, nil
 }
+
+func getCurrent() (Protect, string) {
+	mutex.RLock()
+	defer mutex.RUnlock()
+	return currentProtect, currentDnsServer
+}