Change to explicit handshake

yosebyte · Dec 14, 2024 · c438bf4 · c438bf4
1 parent 67a4bfa
commit c438bf4
Show file tree

Hide file tree

Showing 4 changed files with 57 additions and 18 deletions.
diff --git a/internal/tunnel/client.go b/internal/tunnel/client.go
@@ -32,6 +32,9 @@ func Client(parsedURL *url.URL) error {
 		return err
 	}
 	defer linkConn.Close()
+	if err := linkConn.Handshake(); err != nil {
+		return err
+	}
 	log.Info("Tunnel connection established to: [%v]", linkAddr)
 	buffer := make([]byte, internal.MaxSignalBuffer)
 	for {

diff --git a/internal/tunnel/server.go b/internal/tunnel/server.go
@@ -38,13 +38,21 @@ func Server(parsedURL *url.URL, whiteList *sync.Map, tlsConfig *tls.Config) erro
 		return err
 	}
 	defer linkConn.Close()
+	linkTLS, ok := linkConn.(*tls.Conn)
+	if !ok {
+		log.Error("Non-TLS connection received")
+		return nil
+	}
+	if err := linkTLS.Handshake(); err != nil {
+		return err
+	}
 	log.Info("Tunnel connection established from: [%v]", linkConn.RemoteAddr().String())
 	errChan := make(chan error, 2)
 	go func() {
-		errChan <- ServeTCP(parsedURL, whiteList, linkAddr, targetTCPAddr, linkListen, linkConn)
+		errChan <- ServeTCP(parsedURL, whiteList, linkAddr, targetTCPAddr, linkListen, linkTLS)
 	}()
 	go func() {
-		errChan <- ServeUDP(parsedURL, whiteList, linkAddr, targetUDPAddr, linkListen, linkConn)
+		errChan <- ServeUDP(parsedURL, whiteList, linkAddr, targetUDPAddr, linkListen, linkTLS)
 	}()
 	return <-errChan
 }
diff --git a/internal/tunnel/tcp.go b/internal/tunnel/tcp.go
@@ -13,7 +13,7 @@ import (
 	"github.com/yosebyte/passport/pkg/log"
 )
 
-func ServeTCP(parsedURL *url.URL, whiteList *sync.Map, linkAddr, targetAddr *net.TCPAddr, linkListen net.Listener, linkConn net.Conn) error {
+func ServeTCP(parsedURL *url.URL, whiteList *sync.Map, linkAddr, targetAddr *net.TCPAddr, linkListen net.Listener, linkTLS net.Conn) error {
 	targetListen, err := net.ListenTCP("tcp", targetAddr)
 	if err != nil {
 		log.Error("Unable to listen target address: [%v]", targetAddr)
@@ -49,7 +49,7 @@ func ServeTCP(parsedURL *url.URL, whiteList *sync.Map, linkAddr, targetAddr *net
 		go func(targetConn *net.TCPConn) {
 			defer func() { <-sem }()
 			mu.Lock()
-			_, err = linkConn.Write([]byte("[PASSPORT]<TCP>\n"))
+			_, err = linkTLS.Write([]byte("[PASSPORT]<TCP>\n"))
 			mu.Unlock()
 			if err != nil {
 				log.Error("Unable to send signal: %v", err)
@@ -61,8 +61,17 @@ func ServeTCP(parsedURL *url.URL, whiteList *sync.Map, linkAddr, targetAddr *net
 				log.Error("Unable to accept connections form link address: [%v] %v", linkAddr, err)
 				return
 			}
+			remoteTLS, ok := remoteConn.(*tls.Conn)
+			if !ok {
+				log.Error("Non-TLS connection received")
+				return
+			}
+			if err := remoteTLS.Handshake(); err != nil {
+				log.Error("TLS handshake failed: %v", err)
+				return
+			}
 			log.Info("Starting data exchange: [%v] <-> [%v]", clientAddr, targetAddr)
-			if err := conn.DataExchange(remoteConn, targetConn); err != nil {
+			if err := conn.DataExchange(remoteTLS, targetConn); err != nil {
 				if err == io.EOF {
 					log.Info("Connection closed successfully: %v", err)
 				} else {
@@ -80,13 +89,17 @@ func ClientTCP(linkAddr, targetTCPAddr *net.TCPAddr) {
 		return
 	}
 	log.Info("Target connection established: [%v]", targetTCPAddr)
-	remoteConn, err := tls.Dial("tcp", linkAddr.String(), &tls.Config{InsecureSkipVerify: true})
+	remoteTLS, err := tls.Dial("tcp", linkAddr.String(), &tls.Config{InsecureSkipVerify: true})
 	if err != nil {
 		log.Error("Unable to dial target address: [%v], %v", linkAddr, err)
 		return
 	}
+	if err := remoteTLS.Handshake(); err != nil {
+		log.Error("TLS handshake failed: %v", err)
+		return
+	}
 	log.Info("Starting data exchange: [%v] <-> [%v]", linkAddr, targetTCPAddr)
-	if err := conn.DataExchange(remoteConn, targetConn); err != nil {
+	if err := conn.DataExchange(remoteTLS, targetConn); err != nil {
 		if err == io.EOF {
 			log.Info("Connection closed successfully: %v", err)
 		} else {

diff --git a/internal/tunnel/udp.go b/internal/tunnel/udp.go
@@ -11,7 +11,7 @@ import (
 	"github.com/yosebyte/passport/pkg/log"
 )
 
-func ServeUDP(parsedURL *url.URL, whiteList *sync.Map, linkAddr *net.TCPAddr, targetAddr *net.UDPAddr, linkListen net.Listener, linkConn net.Conn) error {
+func ServeUDP(parsedURL *url.URL, whiteList *sync.Map, linkAddr *net.TCPAddr, targetAddr *net.UDPAddr, linkListen net.Listener, linkTLS net.Conn) error {
 	targetConn, err := net.ListenUDP("udp", targetAddr)
 	if err != nil {
 		log.Error("Unable to listen target address: [%v]", targetAddr)
@@ -36,7 +36,7 @@ func ServeUDP(parsedURL *url.URL, whiteList *sync.Map, linkAddr *net.TCPAddr, ta
 			}
 		}
 		mu.Lock()
-		_, err = linkConn.Write([]byte("[PASSPORT]<UDP>\n"))
+		_, err = linkTLS.Write([]byte("[PASSPORT]<UDP>\n"))
 		mu.Unlock()
 		if err != nil {
 			log.Error("Unable to send signal: %v", err)
@@ -49,19 +49,30 @@ func ServeUDP(parsedURL *url.URL, whiteList *sync.Map, linkAddr *net.TCPAddr, ta
 			time.Sleep(1 * time.Second)
 			continue
 		}
+		remoteTLS, ok := remoteConn.(*tls.Conn)
+		if !ok {
+			log.Error("Non-TLS connection received")
+			time.Sleep(1 * time.Second)
+			continue
+		}
+		if err := remoteTLS.Handshake(); err != nil {
+			log.Error("TLS handshake failed: %v", err)
+			time.Sleep(1 * time.Second)
+			continue
+		}
 		sem <- struct{}{}
-		go func(buffer []byte, n int, remoteConn net.Conn, clientAddr *net.UDPAddr) {
+		go func(buffer []byte, n int, remoteTLS *tls.Conn, clientAddr *net.UDPAddr) {
 			defer func() {
 				<-sem
-				remoteConn.Close()
+				remoteTLS.Close()
 			}()
 			log.Info("Starting data transfer: [%v] <-> [%v]", clientAddr, targetAddr)
-			_, err = remoteConn.Write(buffer[:n])
+			_, err = remoteTLS.Write(buffer[:n])
 			if err != nil {
 				log.Error("Unable to write to link address: [%v] %v", linkAddr, err)
 				return
 			}
-			n, err = remoteConn.Read(buffer)
+			n, err = remoteTLS.Read(buffer)
 			if err != nil {
 				log.Error("Unable to read from link address: [%v] %v", linkAddr, err)
 				return
@@ -72,20 +83,24 @@ func ServeUDP(parsedURL *url.URL, whiteList *sync.Map, linkAddr *net.TCPAddr, ta
 				return
 			}
 			log.Info("Transfer completed successfully")
-		}(buffer, n, remoteConn, clientAddr)
+		}(buffer, n, remoteTLS, clientAddr)
 	}
 }
 
 func ClientUDP(linkAddr *net.TCPAddr, targetUDPAddr *net.UDPAddr) {
-	remoteConn, err := tls.Dial("tcp", linkAddr.String(), &tls.Config{InsecureSkipVerify: true})
+	remoteTLS, err := tls.Dial("tcp", linkAddr.String(), &tls.Config{InsecureSkipVerify: true})
 	if err != nil {
 		log.Error("Unable to dial target address: [%v] %v", linkAddr, err)
 		return
 	}
-	defer remoteConn.Close()
+	defer remoteTLS.Close()
+	if err := remoteTLS.Handshake(); err != nil {
+		log.Error("TLS handshake failed: %v", err)
+		return
+	}
 	log.Info("Remote connection established: [%v]", linkAddr)
 	buffer := make([]byte, internal.MaxDataBuffer)
-	n, err := remoteConn.Read(buffer)
+	n, err := remoteTLS.Read(buffer)
 	if err != nil {
 		log.Error("Unable to read from remote address: [%v] %v", linkAddr, err)
 		return
@@ -113,7 +128,7 @@ func ClientUDP(linkAddr *net.TCPAddr, targetUDPAddr *net.UDPAddr) {
 		log.Error("Unable to read from target address: [%v] %v", targetUDPAddr, err)
 		return
 	}
-	_, err = remoteConn.Write(buffer[:n])
+	_, err = remoteTLS.Write(buffer[:n])
 	if err != nil {
 		log.Error("Unable to write to remote address: [%v] %v", linkAddr, err)
 		return