Enable TLS

admin/admin.go

@@ -32,6 +32,8 @@ func main() {
 
 	options := initial.ParseOptions()
 
+	share.GeneratePreAuthToken(options.Secret)
+
 	protocol.DecideType("raw", options.Downstream)
 
 	cli.Banner()

admin/admin_win.go

@@ -1,3 +1,4 @@
+//go:build windows
 // +build windows
 
 package main
@@ -26,6 +27,8 @@ func main() {
 
 	options := initial.ParseOptions()
 
+	share.GeneratePreAuthToken(options.Secret)
+
 	protocol.DecideType("raw", options.Downstream)
 
 	cli.Banner()

admin/initial/method.go

@@ -1,13 +1,15 @@
 package initial
 
 import (
+	"crypto/tls"
 	"net"
 	"os"
 
 	"Stowaway/admin/printer"
 	"Stowaway/admin/topology"
 	"Stowaway/protocol"
 	"Stowaway/share"
+	"Stowaway/share/transport"
 	"Stowaway/utils"
 )
 
@@ -74,11 +76,25 @@ func NormalActive(userOptions *Options, topo *topology.Topology, proxy share.Pro
 			os.Exit(0)
 		}
 
-		if err := share.ActivePreAuth(conn, userOptions.Secret); err != nil {
+		if err := share.ActivePreAuth(conn); err != nil {
 			printer.Fail("[*] Error occurred: %s", err.Error())
 			os.Exit(0)
 		}
 
+		if userOptions.TlsEnable {
+			var tlsConfig *tls.Config
+			tlsConfig, err = transport.NewClientTLSConfig(userOptions.Domain)
+			if err != nil {
+				printer.Fail("[*] Error occured: %s", err.Error())
+				conn.Close()
+				continue
+			}
+			conn = transport.WrapTLSClientConn(conn, tlsConfig)
+			// As we have already used TLS, we don't need to use aes inside
+			// Set userOptions.Secret as null to disable aes
+			userOptions.Secret = ""
+		}
+
 		sMessage = protocol.PrepareAndDecideWhichSProtoToLower(conn, userOptions.Secret, protocol.ADMIN_UUID)
 
 		protocol.ConstructMessage(sMessage, header, hiMess, false)
@@ -178,12 +194,26 @@ func NormalPassive(userOptions *Options, topo *topology.Topology) net.Conn {
 			continue
 		}
 
-		if err := share.PassivePreAuth(conn, userOptions.Secret); err != nil {
+		if err := share.PassivePreAuth(conn); err != nil {
 			printer.Fail("[*] Error occurred: %s\r\n", err.Error())
 			conn.Close()
 			continue
 		}
 
+		if userOptions.TlsEnable {
+			var tlsConfig *tls.Config
+			tlsConfig, err = transport.NewServerTLSConfig()
+			if err != nil {
+				printer.Fail("[*] Error occured: %s", err.Error())
+				conn.Close()
+				continue
+			}
+			conn = transport.WrapTLSServerConn(conn, tlsConfig)
+			// As we have already used TLS, we don't need to use aes inside
+			// Set userOptions.Secret as null to disable aes
+			userOptions.Secret = ""
+		}
+
 		rMessage = protocol.PrepareAndDecideWhichRProtoFromLower(conn, userOptions.Secret, protocol.ADMIN_UUID)
 		fHeader, fMessage, err := protocol.DestructMessage(rMessage)
 

admin/initial/parser.go

@@ -1,3 +1,4 @@
+//go:build !windows
 // +build !windows
 
 package initial
@@ -7,6 +8,7 @@ import (
 	"fmt"
 	"net"
 	"os"
+	"strings"
 
 	"Stowaway/admin/printer"
 
@@ -30,21 +32,25 @@ type Options struct {
 	Socks5ProxyP string
 	HttpProxy    string
 	Downstream   string
+	Domain       string
+	TlsEnable    bool
 }
 
-var Args *Options
+var args *Options
 
 func init() {
-	Args = new(Options)
-
-	flag.StringVar(&Args.Secret, "s", "", "Communication secret")
-	flag.StringVar(&Args.Listen, "l", "", "Listen port")
-	flag.StringVar(&Args.Connect, "c", "", "The node address when you actively connect to it")
-	flag.StringVar(&Args.Socks5Proxy, "socks5-proxy", "", "The socks5 server ip:port you want to use")
-	flag.StringVar(&Args.Socks5ProxyU, "socks5-proxyu", "", "socks5 username")
-	flag.StringVar(&Args.Socks5ProxyP, "socks5-proxyp", "", "socks5 password")
-	flag.StringVar(&Args.HttpProxy, "http-proxy", "", "The http proxy server ip:port you want to use")
-	flag.StringVar(&Args.Downstream, "down", "raw", "")
+	args = new(Options)
+
+	flag.StringVar(&args.Secret, "s", "", "Communication secret")
+	flag.StringVar(&args.Listen, "l", "", "Listen port")
+	flag.StringVar(&args.Connect, "c", "", "The node address when you actively connect to it")
+	flag.StringVar(&args.Socks5Proxy, "socks5-proxy", "", "The socks5 server ip:port you want to use")
+	flag.StringVar(&args.Socks5ProxyU, "socks5-proxyu", "", "socks5 username")
+	flag.StringVar(&args.Socks5ProxyP, "socks5-proxyp", "", "socks5 password")
+	flag.StringVar(&args.HttpProxy, "http-proxy", "", "The http proxy server ip:port you want to use")
+	flag.StringVar(&args.Downstream, "down", "raw", "Downstream data type you want to use")
+	flag.StringVar(&args.Domain, "domain", "", "Domain name for TLS SNI")
+	flag.BoolVar(&args.TlsEnable, "tls-enable", false, "Encrypt connection by TLS")
 
 	flag.Usage = newUsage
 }
@@ -65,44 +71,49 @@ Usages:
 func ParseOptions() *Options {
 	flag.Parse()
 
-	if Args.Listen != "" && Args.Connect == "" && Args.Socks5Proxy == "" && Args.HttpProxy == "" { // ./stowaway_admin -l <port> -s [secret]
-		Args.Mode = NORMAL_PASSIVE
-		printer.Warning("[*] Starting admin node on port %s\r\n", Args.Listen)
-	} else if Args.Connect != "" && Args.Listen == "" && Args.Socks5Proxy == "" && Args.HttpProxy == "" { // ./stowaway_admin -c <ip:port> -s [secret]
-		Args.Mode = NORMAL_ACTIVE
+	if args.Listen != "" && args.Connect == "" && args.Socks5Proxy == "" && args.HttpProxy == "" { // ./stowaway_admin -l <port> -s [secret]
+		args.Mode = NORMAL_PASSIVE
+		printer.Warning("[*] Starting admin node on port %s\r\n", args.Listen)
+	} else if args.Connect != "" && args.Listen == "" && args.Socks5Proxy == "" && args.HttpProxy == "" { // ./stowaway_admin -c <ip:port> -s [secret]
+		args.Mode = NORMAL_ACTIVE
 		printer.Warning("[*] Trying to connect node actively")
-	} else if Args.Connect != "" && Args.Listen == "" && Args.Socks5Proxy != "" && Args.HttpProxy == "" { // ./stowaway_admin -c <ip:port> -s [secret] --proxy <ip:port> --proxyu [username] --proxyp [password]
-		Args.Mode = SOCKS5_PROXY_ACTIVE
-		printer.Warning("[*] Trying to connect node actively via socks5 proxy %s\r\n", Args.Socks5Proxy)
-	} else if Args.Connect != "" && Args.Listen == "" && Args.Socks5Proxy == "" && Args.HttpProxy != "" {
-		Args.Mode = HTTP_PROXY_ACTIVE
-		printer.Warning("[*] Trying to connect node actively via http proxy %s\r\n", Args.HttpProxy)
+	} else if args.Connect != "" && args.Listen == "" && args.Socks5Proxy != "" && args.HttpProxy == "" { // ./stowaway_admin -c <ip:port> -s [secret] --proxy <ip:port> --proxyu [username] --proxyp [password]
+		args.Mode = SOCKS5_PROXY_ACTIVE
+		printer.Warning("[*] Trying to connect node actively via socks5 proxy %s\r\n", args.Socks5Proxy)
+	} else if args.Connect != "" && args.Listen == "" && args.Socks5Proxy == "" && args.HttpProxy != "" {
+		args.Mode = HTTP_PROXY_ACTIVE
+		printer.Warning("[*] Trying to connect node actively via http proxy %s\r\n", args.HttpProxy)
 	} else { // Wrong format
 		flag.Usage()
 		os.Exit(0)
 	}
 
-	if err := checkOptions(Args); err != nil {
+	if args.Domain == "" && args.Connect != "" {
+		addrSlice := strings.SplitN(args.Connect, ":", 2)
+		args.Domain = addrSlice[0]
+	}
+
+	if err := checkOptions(args); err != nil {
 		termbox.Close()
 		printer.Fail("[*] Options err: %s\r\n", err.Error())
 		os.Exit(0)
 	}
 
-	return Args
+	return args
 }
 
 func checkOptions(option *Options) error {
 	var err error
 
-	if Args.Connect != "" {
+	if args.Connect != "" {
 		_, err = net.ResolveTCPAddr("", option.Connect)
 	}
 
-	if Args.Socks5Proxy != "" {
+	if args.Socks5Proxy != "" {
 		_, err = net.ResolveTCPAddr("", option.Socks5Proxy)
 	}
 
-	if Args.HttpProxy != "" {
+	if args.HttpProxy != "" {
 		_, err = net.ResolveTCPAddr("", option.HttpProxy)
 	}
 

admin/initial/parser_win.go

@@ -1,3 +1,4 @@
+//go:build windows
 // +build windows
 
 package initial
@@ -7,6 +8,7 @@ import (
 	"fmt"
 	"net"
 	"os"
+	"strings"
 
 	"Stowaway/admin/printer"
 )
@@ -28,21 +30,25 @@ type Options struct {
 	Socks5ProxyP string
 	HttpProxy    string
 	Downstream   string
+	Domain       string
+	TlsEnable    bool
 }
 
-var Args *Options
+var args *Options
 
 func init() {
-	Args = new(Options)
-
-	flag.StringVar(&Args.Secret, "s", "", "Communication secret")
-	flag.StringVar(&Args.Listen, "l", "", "Listen port")
-	flag.StringVar(&Args.Connect, "c", "", "The node address when you actively connect to it")
-	flag.StringVar(&Args.Socks5Proxy, "socks5-proxy", "", "The socks5 server ip:port you want to use")
-	flag.StringVar(&Args.Socks5ProxyU, "socks5-proxyu", "", "socks5 username")
-	flag.StringVar(&Args.Socks5ProxyP, "socks5-proxyp", "", "socks5 password")
-	flag.StringVar(&Args.HttpProxy, "http-proxy", "", "The http proxy server ip:port you want to use")
-	flag.StringVar(&Args.Downstream, "down", "raw", "")
+	args = new(Options)
+
+	flag.StringVar(&args.Secret, "s", "", "Communication secret")
+	flag.StringVar(&args.Listen, "l", "", "Listen port")
+	flag.StringVar(&args.Connect, "c", "", "The node address when you actively connect to it")
+	flag.StringVar(&args.Socks5Proxy, "socks5-proxy", "", "The socks5 server ip:port you want to use")
+	flag.StringVar(&args.Socks5ProxyU, "socks5-proxyu", "", "socks5 username")
+	flag.StringVar(&args.Socks5ProxyP, "socks5-proxyp", "", "socks5 password")
+	flag.StringVar(&args.HttpProxy, "http-proxy", "", "The http proxy server ip:port you want to use")
+	flag.StringVar(&args.Downstream, "down", "raw", "")
+	flag.StringVar(&args.Domain, "domain", "", "Domain name for TLS SNI")
+	flag.BoolVar(&args.TlsEnable, "tls-enable", false, "Encrypt connection by TLS")
 
 	flag.Usage = newUsage
 }
@@ -61,43 +67,48 @@ Usages:
 func ParseOptions() *Options {
 	flag.Parse()
 
-	if Args.Listen != "" && Args.Connect == "" && Args.Socks5Proxy == "" && Args.HttpProxy == "" { // ./stowaway_admin -l <port> -s [secret]
-		Args.Mode = NORMAL_PASSIVE
-		printer.Warning("[*] Starting admin node on port %s\r\n", Args.Listen)
-	} else if Args.Connect != "" && Args.Listen == "" && Args.Socks5Proxy == "" && Args.HttpProxy == "" { // ./stowaway_admin -c <ip:port> -s [secret]
-		Args.Mode = NORMAL_ACTIVE
+	if args.Listen != "" && args.Connect == "" && args.Socks5Proxy == "" && args.HttpProxy == "" { // ./stowaway_admin -l <port> -s [secret]
+		args.Mode = NORMAL_PASSIVE
+		printer.Warning("[*] Starting admin node on port %s\r\n", args.Listen)
+	} else if args.Connect != "" && args.Listen == "" && args.Socks5Proxy == "" && args.HttpProxy == "" { // ./stowaway_admin -c <ip:port> -s [secret]
+		args.Mode = NORMAL_ACTIVE
 		printer.Warning("[*] Trying to connect node actively")
-	} else if Args.Connect != "" && Args.Listen == "" && Args.Socks5Proxy != "" && Args.HttpProxy == "" { // ./stowaway_admin -c <ip:port> -s [secret] --proxy <ip:port> --proxyu [username] --proxyp [password]
-		Args.Mode = SOCKS5_PROXY_ACTIVE
-		printer.Warning("[*] Trying to connect node actively via socks5 proxy %s\r\n", Args.Socks5Proxy)
-	} else if Args.Connect != "" && Args.Listen == "" && Args.Socks5Proxy == "" && Args.HttpProxy != "" {
-		Args.Mode = HTTP_PROXY_ACTIVE
-		printer.Warning("[*] Trying to connect node actively via http proxy %s\r\n", Args.HttpProxy)
+	} else if args.Connect != "" && args.Listen == "" && args.Socks5Proxy != "" && args.HttpProxy == "" { // ./stowaway_admin -c <ip:port> -s [secret] --proxy <ip:port> --proxyu [username] --proxyp [password]
+		args.Mode = SOCKS5_PROXY_ACTIVE
+		printer.Warning("[*] Trying to connect node actively via socks5 proxy %s\r\n", args.Socks5Proxy)
+	} else if args.Connect != "" && args.Listen == "" && args.Socks5Proxy == "" && args.HttpProxy != "" {
+		args.Mode = HTTP_PROXY_ACTIVE
+		printer.Warning("[*] Trying to connect node actively via http proxy %s\r\n", args.HttpProxy)
 	} else { // Wrong format
 		flag.Usage()
 		os.Exit(0)
 	}
 
-	if err := checkOptions(Args); err != nil {
+	if args.Domain == "" && args.Connect != "" {
+		addrSlice := strings.SplitN(args.Connect, ":", 2)
+		args.Domain = addrSlice[0]
+	}
+
+	if err := checkOptions(args); err != nil {
 		printer.Fail("[*] Options err: %s\r\n", err.Error())
 		os.Exit(0)
 	}
 
-	return Args
+	return args
 }
 
 func checkOptions(option *Options) error {
 	var err error
 
-	if Args.Connect != "" {
+	if args.Connect != "" {
 		_, err = net.ResolveTCPAddr("", option.Connect)
 	}
 
-	if Args.Socks5Proxy != "" {
+	if args.Socks5Proxy != "" {
 		_, err = net.ResolveTCPAddr("", option.Socks5Proxy)
 	}
 
-	if Args.HttpProxy != "" {
+	if args.HttpProxy != "" {
 		_, err = net.ResolveTCPAddr("", option.HttpProxy)
 	}
 

agent/agent.go

@@ -19,6 +19,8 @@ func init() {
 func main() {
 	options := initial.ParseOptions()
 
+	share.GeneratePreAuthToken(options.Secret)
+
 	agent := process.NewAgent(options)
 
 	protocol.DecideType(options.Upstream, options.Downstream)
@@ -51,6 +53,7 @@ func main() {
 	}
 
 	global.InitialGComponent(conn, options.Secret, agent.UUID)
+	global.G_TLSEnable = options.TlsEnable
 
 	agent.Run()
 }

agent/handler/connect.go

@@ -1,6 +1,7 @@
 package handler
 
 import (
+	"crypto/tls"
 	"errors"
 	"net"
 	"time"
@@ -9,6 +10,7 @@ import (
 	"Stowaway/global"
 	"Stowaway/protocol"
 	"Stowaway/share"
+	"Stowaway/share/transport"
 )
 
 type Connect struct {
@@ -78,10 +80,21 @@ func (connect *Connect) start(mgr *manager.Manager) {
 		return
 	}
 
-	if err = share.ActivePreAuth(conn, global.G_Component.Secret); err != nil {
+	if err = share.ActivePreAuth(conn); err != nil {
 		return
 	}
 
+	if global.G_TLSEnable {
+		var tlsConfig *tls.Config
+		// Set domain as null since we are in the intranet
+		tlsConfig, err = transport.NewClientTLSConfig("")
+		if err != nil {
+			conn.Close()
+			return
+		}
+		conn = transport.WrapTLSClientConn(conn, tlsConfig)
+	}
+
 	sLMessage = protocol.PrepareAndDecideWhichSProtoToLower(conn, global.G_Component.Secret, protocol.ADMIN_UUID)
 
 	protocol.ConstructMessage(sLMessage, hiHeader, hiMess, false)