func PipeThenCloseOta(src *ss.Conn, dst net.Conn, is_res bool, host string, user user.User) { const ( dataLenLen = 2 hmacSha1Len = 10 idxData0 = dataLenLen + hmacSha1Len ) defer func() { dst.Close() }() var pipeBuf = leakybuf.NewLeakyBuf(nBuf, bufSize) buf := pipeBuf.Get() // sometimes it have to fill large block for i := 1; ; i += 1 { SetReadTimeout(src) n, err := io.ReadFull(src, buf[:dataLenLen+hmacSha1Len]) if err != nil { if err == io.EOF { break } Log.Debug(fmt.Sprintf("conn=%p #%v read header error n=%v: %v", src, i, n, err)) break } dataLen := binary.BigEndian.Uint16(buf[:dataLenLen]) expectedHmacSha1 := buf[dataLenLen:idxData0] var dataBuf []byte if len(buf) < int(idxData0+dataLen) { dataBuf = make([]byte, dataLen) } else { dataBuf = buf[idxData0 : idxData0+dataLen] } if n, err := io.ReadFull(src, dataBuf); err != nil { if err == io.EOF { break } Log.Debug(fmt.Sprintf("conn=%p #%v read data error n=%v: %v", src, i, n, err)) break } chunkIdBytes := make([]byte, 4) chunkId := src.GetAndIncrChunkId() binary.BigEndian.PutUint32(chunkIdBytes, chunkId) actualHmacSha1 := ss.HmacSha1(append(src.GetIv(), chunkIdBytes...), dataBuf) if !bytes.Equal(expectedHmacSha1, actualHmacSha1) { Log.Debug(fmt.Sprintf("conn=%p #%v read data hmac-sha1 mismatch, iv=%v chunkId=%v src=%v dst=%v len=%v expeced=%v actual=%v", src, i, src.GetIv(), chunkId, src.RemoteAddr(), dst.RemoteAddr(), dataLen, expectedHmacSha1, actualHmacSha1)) break } if n, err := dst.Write(dataBuf); err != nil { Log.Debug(fmt.Sprintf("conn=%p #%v write data error n=%v: %v", dst, i, n, err)) break } if is_res { err := storage.IncrSize(user, n) if err != nil { Log.Error(err) } Log.Debug(fmt.Sprintf("[port-%d] store size: %d", user.GetPort(), n)) } } return }
func getRequest(conn *ss.Conn, auth bool) (host string, res_size int, ota bool, err error) { var n int ss.SetReadTimeout(conn) // buf size should at least have the same size with the largest possible // request size (when addrType is 3, domain name has at most 256 bytes) // 1(addrType) + 1(lenByte) + 256(max length address) + 2(port) + 10(hmac-sha1) buf := make([]byte, 270) // read till we get possible domain length field if n, err = io.ReadFull(conn, buf[:idType+1]); err != nil { return } res_size += n var reqStart, reqEnd int addrType := buf[idType] switch addrType & ss.AddrMask { case typeIPv4: reqStart, reqEnd = idIP0, idIP0+lenIPv4 case typeIPv6: reqStart, reqEnd = idIP0, idIP0+lenIPv6 case typeDm: if n, err = io.ReadFull(conn, buf[idType+1:idDmLen+1]); err != nil { return } reqStart, reqEnd = idDm0, int(idDm0+buf[idDmLen]+lenDmBase) default: err = fmt.Errorf("addr type %d not supported", addrType&ss.AddrMask) return } res_size += n if n, err = io.ReadFull(conn, buf[reqStart:reqEnd]); err != nil { return } res_size += n // Return string for typeIP is not most efficient, but browsers (Chrome, // Safari, Firefox) all seems using typeDm exclusively. So this is not a // big problem. switch addrType & ss.AddrMask { case typeIPv4: host = net.IP(buf[idIP0 : idIP0+net.IPv4len]).String() case typeIPv6: host = net.IP(buf[idIP0 : idIP0+net.IPv6len]).String() case typeDm: host = string(buf[idDm0 : idDm0+buf[idDmLen]]) } // parse port port := binary.BigEndian.Uint16(buf[reqEnd-2 : reqEnd]) host = net.JoinHostPort(host, strconv.Itoa(int(port))) // if specified one time auth enabled, we should verify this if auth || addrType&ss.OneTimeAuthMask > 0 { ota = true if n, err = io.ReadFull(conn, buf[reqEnd:reqEnd+lenHmacSha1]); err != nil { return } iv := conn.GetIv() key := conn.GetKey() actualHmacSha1Buf := ss.HmacSha1(append(iv, key...), buf[:reqEnd]) if !bytes.Equal(buf[reqEnd:reqEnd+lenHmacSha1], actualHmacSha1Buf) { err = fmt.Errorf("verify one time auth failed, iv=%v key=%v data=%v", iv, key, buf[:reqEnd]) return } res_size += n } return }
func handleConnection(user user.User, conn *ss.Conn, auth bool) { var host string connCnt++ // this maybe not accurate, but should be enough if connCnt-nextLogConnCnt >= 0 { // XXX There's no xadd in the atomic package, so it's difficult to log // the message only once with low cost. Also note nextLogConnCnt maybe // added twice for current peak connection number level. Log.Debug("Number of client connections reaches %d\n", nextLogConnCnt) nextLogConnCnt += logCntDelta } // function arguments are always evaluated, so surround debug statement // with if statement Log.Debug(fmt.Sprintf("new client %s->%s\n", conn.RemoteAddr().String(), conn.LocalAddr())) closed := false defer func() { if ssdebug { Log.Debug(fmt.Sprintf("closed pipe %s<->%s\n", conn.RemoteAddr(), host)) } connCnt-- if !closed { conn.Close() } }() host, res_size, ota, err := getRequest(conn, auth) if err != nil { Log.Error("error getting request", conn.RemoteAddr(), conn.LocalAddr(), err) return } Log.Info(fmt.Sprintf("[port-%d]connecting %s ", user.GetPort(), host)) remote, err := net.Dial("tcp", host) if err != nil { if ne, ok := err.(*net.OpError); ok && (ne.Err == syscall.EMFILE || ne.Err == syscall.ENFILE) { // log too many open file error // EMFILE is process reaches open file limits, ENFILE is system limit Log.Error("dial error:", err) } else { Log.Error("error connecting to:", host, err) } return } defer func() { if !closed { remote.Close() } }() // debug conn info Log.Debug(fmt.Sprintf("%d conn debug: local addr: %s | remote addr: %s network: %s ", user.GetPort(), conn.LocalAddr().String(), conn.RemoteAddr().String(), conn.RemoteAddr().Network())) err = storage.IncrSize(user, res_size) if err != nil { Log.Error(err) return } err = storage.MarkUserOnline(user) if err != nil { Log.Error(err) return } Log.Debug(fmt.Sprintf("[port-%d] store size: %d", user.GetPort(), res_size)) Log.Info(fmt.Sprintf("piping %s<->%s ota=%v connOta=%v", conn.RemoteAddr(), host, ota, conn.IsOta())) if ota { go PipeThenCloseOta(conn, remote, false, host, user) } else { go PipeThenClose(conn, remote, false, host, user) } PipeThenClose(remote, conn, true, host, user) closed = true return }