Upstream sync (#14)

* Set ServerName (SNI) to *hostname. Useful for spoofing our way through restrictive gateways.

* Bump actions/checkout from 2 to 3.1.0

Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3.1.0.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v2...v3.1.0)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>

* Added --sni switch to control the ServerName when connecting with TLS. Makes 'domain fronting' possible.

* feat: dependabot workflow automation for updating dependency 

Signed-off-by: Pratik Raj <[email protected]>

* Bump github.com/fsnotify/fsnotify from 1.4.9 to 1.6.0 (jpillora#389)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* UDP buffer size override with CHISEL_UDP_MAX_SIZE environment variable (jpillora#367)

* Add locking around the connection count to fix a data race. (jpillora#342)

Co-authored-by: andres-portainer <[email protected]>

* fix: small typo error in main.go (jpillora#334)

* Respond to /health and /version by request path rather than by the whole url string (jpillora#328)

Co-authored-by: bar <[email protected]>

* Update version.go (jpillora#288)

* Providing chisel's client with a logger level (jpillora#281)

Co-authored-by: Barak Sharoni <[email protected]>
Co-authored-by: barak-sharoni-velocity <[email protected]>

* add EnvBool

* Fix jpillora#390: Use code to generate certificates for client & server (jpillora#400)

* docker alpine->google-distroless

* docker to use scratch

* Fix missing NetDialContext: c.config.DialContext (jpillora#398)

* actions: setup go v3

* switch to scratch image

* update dependabot

* move chisel to flyio

* Bump to Go 1.21 (jpillora#440)

Co-authored-by: cmeng <[email protected]>

* add arm v5 builds (jpillora#395)

* Sync with upstream

---------

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Pratik Raj <[email protected]>
Co-authored-by: ip-rw <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Pratik Raj <[email protected]>
Co-authored-by: Jaime Pillora <[email protected]>
Co-authored-by: fsiegmund <[email protected]>
Co-authored-by: andres-portainer <[email protected]>
Co-authored-by: andres-portainer <[email protected]>
Co-authored-by: 0xflotus <[email protected]>
Co-authored-by: BigSully <[email protected]>
Co-authored-by: bar <[email protected]>
Co-authored-by: invist <[email protected]>
Co-authored-by: zuzgon <[email protected]>
Co-authored-by: Barak Sharoni <[email protected]>
Co-authored-by: barak-sharoni-velocity <[email protected]>
Co-authored-by: Jaime Pillora <[email protected]>
Co-authored-by: Guillaume SMAHA <[email protected]>
Co-authored-by: cmeng <[email protected]>
Co-authored-by: maurerr <[email protected]>

.github/goreleaser.yml

@@ -25,6 +25,7 @@ builds:
       - mips64le
       - s390x
     goarm:
+      - 5
       - 6
       - 7
     gomips:

.github/workflows/ci.yml

@@ -10,7 +10,7 @@ jobs:
     name: Test
     strategy:
       matrix:
-        go-version: [1.19.x, 1.20.x]
+        go-version: [1.21.x]
         platform: [ubuntu-latest, macos-latest, windows-latest]
     runs-on: ${{ matrix.platform }}
     steps:

README.md

@@ -119,12 +119,23 @@ $ chisel server --help
     --port, -p, Defines the HTTP listening port (defaults to the environment
     variable PORT and fallsback to port 8080).
 
-    --key, An optional string to seed the generation of a ECDSA public
+    --key, (deprecated use --keygen and --keyfile instead)
+    An optional string to seed the generation of a ECDSA public
     and private key pair. All communications will be secured using this
     key pair. Share the subsequent fingerprint with clients to enable detection
     of man-in-the-middle attacks (defaults to the CHISEL_KEY environment
     variable, otherwise a new key is generate each run).
 
+    --keygen, A path to write a newly generated PEM-encoded SSH private key file.
+    If users depend on your --key fingerprint, you may also include your --key to
+    output your existing key. Use - (dash) to output the generated key to stdout.
+
+    --keyfile, An optional path to a PEM-encoded SSH private key. When
+    this flag is set, the --key option is ignored, and the provided private key
+    is used to secure all communications. (defaults to the CHISEL_KEY_FILE
+    environment variable). Since ECDSA keys are short, you may also set keyfile
+    to an inline base64 private key (e.g. chisel server --keygen - | base64).
+
     --authfile, An optional path to a users.json file. This file should
     be an object with users defined like:
       {
@@ -300,6 +311,9 @@ $ chisel client --help
     --hostname, Optionally set the 'Host' header (defaults to the host
     found in the server url).
 
+    --sni, Override the ServerName when using TLS (defaults to the 
+    hostname).
+
     --tls-ca, An optional root certificate bundle used to verify the
     chisel server. Only valid when connecting to the server with
     "https" or "wss". By default, the operating system CAs will be used.
@@ -341,38 +355,42 @@ $ chisel client --help
 
 ### Security
 
-Encryption is always enabled. When you start up a chisel server, it will generate an in-memory ECDSA public/private key pair. The public key fingerprint (base64 encoded SHA256) will be displayed as the server starts. Instead of generating a random key, the server may optionally specify a key seed, using the `--key` option, which will be used to seed the key generation. When clients connect, they will also display the server's public key fingerprint. The client can force a particular fingerprint using the `--fingerprint` option. See the `--help` above for more information.
+Encryption is always enabled. When you start up a chisel server, it will generate an in-memory ECDSA public/private key pair. The public key fingerprint (base64 encoded SHA256) will be displayed as the server starts. Instead of generating a random key, the server may optionally specify a key file, using the `--keyfile` option. When clients connect, they will also display the server's public key fingerprint. The client can force a particular fingerprint using the `--fingerprint` option. See the `--help` above for more information.
 
 ### Authentication
 
 Using the `--authfile` option, the server may optionally provide a `user.json` configuration file to create a list of accepted users. The client then authenticates using the `--auth` option. See [users.json](example/users.json) for an example authentication configuration file. See the `--help` above for more information.
 
 Internally, this is done using the _Password_ authentication method provided by SSH. Learn more about `crypto/ssh` here http://blog.gopheracademy.com/go-and-ssh/.
 
-### SOCKS5 Guide
+### SOCKS5 Guide with Docker
+
+1. Print a new private key to the terminal
+
+    ```sh
+    chisel server --keygen -
+    # or save it to disk --keygen /path/to/mykey
+    ```
 
 1. Start your chisel server
 
-```sh
-docker run \
-  --name chisel -p 9312:9312 \
-  -d --restart always \
-  jpillora/chisel server -p 9312 --socks5 --key supersecret
-```
+    ```sh
+    jpillora/chisel server --keyfile '<ck-base64 string or file path>' -p 9312 --socks5
+    ```
 
-2. Connect your chisel client (using server's fingerprint)
+1. Connect your chisel client (using server's fingerprint)
 
-```sh
-chisel client --fingerprint 'rHb55mcxf6vSckL2AezFV09rLs7pfPpavVu++MF7AhQ=' <server-address>:9312 socks
-```
+    ```sh
+    chisel client --fingerprint '<see server output>' <server-address>:9312 socks
+    ```
 
-3. Point your SOCKS5 clients (e.g. OS/Browser) to:
+1. Point your SOCKS5 clients (e.g. OS/Browser) to:
 
-```
-<client-address>:1080
-```
+    ```
+    <client-address>:1080
+    ```
 
-4. Now you have an encrypted, authenticated SOCKS5 connection over HTTP
+1. Now you have an encrypted, authenticated SOCKS5 connection over HTTP
 
 
 #### Caveats
@@ -403,6 +421,8 @@ Since WebSockets support is required:
 - `1.5` - Added reverse SOCKS support (by @aus)
 - `1.6` - Added client stdio support (by @BoleynSu)
 - `1.7` - Added UDP support
+- `1.8` - Move to a `scratch`Docker image
+- `1.9` - Switch from `--key` seed to P256 key strings with `--key{gen,file}` + bump to Go 1.21 (by @cmenginnz)
 
 ## License
 

client/client.go

@@ -29,7 +29,7 @@ import (
 	"golang.org/x/sync/errgroup"
 )
 
-//Config represents a client configuration
+// Config represents a client configuration
 type Config struct {
 	Fingerprint      string
 	Auth             string
@@ -45,7 +45,7 @@ type Config struct {
 	Verbose          bool
 }
 
-//TLSConfig for a Client
+// TLSConfig for a Client
 type TLSConfig struct {
 	SkipVerify bool
 	CA         string
@@ -54,7 +54,7 @@ type TLSConfig struct {
 	ServerName string
 }
 
-//Client represents a client instance
+// Client represents a client instance
 type Client struct {
 	*cio.Logger
 	config    *Config
@@ -69,7 +69,7 @@ type Client struct {
 	tunnel    *tunnel.Tunnel
 }
 
-//NewClient creates a new client instance
+// NewClient creates a new client instance
 func NewClient(c *Config) (*Client, error) {
 	//apply default scheme
 	if !strings.HasPrefix(c.Server, "http") {
@@ -190,7 +190,7 @@ func NewClient(c *Config) (*Client, error) {
 	return client, nil
 }
 
-//Run starts client and blocks while connected
+// Run starts client and blocks while connected
 func (c *Client) Run() error {
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
@@ -221,7 +221,7 @@ func (c *Client) verifyServer(hostname string, remote net.Addr, key ssh.PublicKe
 	return nil
 }
 
-//verifyLegacyFingerprint calculates and compares legacy MD5 fingerprints
+// verifyLegacyFingerprint calculates and compares legacy MD5 fingerprints
 func (c *Client) verifyLegacyFingerprint(key ssh.PublicKey) error {
 	bytes := md5.Sum(key.Marshal())
 	strbytes := make([]string, len(bytes))
@@ -236,7 +236,7 @@ func (c *Client) verifyLegacyFingerprint(key ssh.PublicKey) error {
 	return nil
 }
 
-//Start client and does not block
+// Start client and does not block
 func (c *Client) Start(ctx context.Context) error {
 	ctx, cancel := context.WithCancel(ctx)
 	c.stop = cancel
@@ -293,12 +293,12 @@ func (c *Client) setProxy(u *url.URL, d *websocket.Dialer) error {
 	return nil
 }
 
-//Wait blocks while the client is running.
+// Wait blocks while the client is running.
 func (c *Client) Wait() error {
 	return c.eg.Wait()
 }
 
-//Close manually stops the client
+// Close manually stops the client
 func (c *Client) Close() error {
 	if c.stop != nil {
 		c.stop()

client/client_test.go

@@ -1,7 +1,6 @@
 package chclient
 
 import (
-	"crypto/ecdsa"
 	"crypto/elliptic"
 	"log"
 	"net/http"
@@ -45,87 +44,62 @@ func TestCustomHeaders(t *testing.T) {
 	c.Close()
 }
 
-// with the update Go to 1.20, these Unit Tests start failing,
-// since this test is related to client side, and the "fingerprint" flag is not available in cloud-connector
-// we can remove/comment these 3 Unit Tests, until fixed in upstream
-
-// func TestFallbackLegacyFingerprint(t *testing.T) {
-// 	config := Config{
-// 		Fingerprint: "a5:32:92:c6:56:7a:9e:61:26:74:1b:81:a6:f5:1b:44",
-// 	}
-// 	c, err := NewClient(&config)
-// 	if err != nil {
-// 		t.Fatal(err)
-// 	}
-// 	r := ccrypto.NewDetermRand([]byte("test123"))
-// 	priv, err := ecdsa.GenerateKey(elliptic.P256(), r)
-// 	if err != nil {
-// 		t.Fatal(err)
-// 	}
-// 	pub, err := ssh.NewPublicKey(&priv.PublicKey)
-// 	if err != nil {
-// 		t.Fatal(err)
-// 	}
-// 	err = c.verifyServer("", nil, pub)
-// 	if err != nil {
-// 		t.Fatal(err)
-// 	}
-// }
-
-// func TestVerifyLegacyFingerprint(t *testing.T) {
-// 	config := Config{
-// 		Fingerprint: "a5:32:92:c6:56:7a:9e:61:26:74:1b:81:a6:f5:1b:44",
-// 	}
-// 	c, err := NewClient(&config)
-// 	if err != nil {
-// 		t.Fatal(err)
-// 	}
-// 	r := ccrypto.NewDetermRand([]byte("test123"))
-// 	priv, err := ecdsa.GenerateKey(elliptic.P256(), r)
-// 	if err != nil {
-// 		t.Fatal(err)
-// 	}
-// 	pub, err := ssh.NewPublicKey(&priv.PublicKey)
-// 	if err != nil {
-// 		t.Fatal(err)
-// 	}
-// 	err = c.verifyLegacyFingerprint(pub)
-// 	if err != nil {
-// 		t.Fatal(err)
-// 	}
-// }
+func TestFallbackLegacyFingerprint(t *testing.T) {
+	config := Config{
+		Fingerprint: "a5:32:92:c6:56:7a:9e:61:26:74:1b:81:a6:f5:1b:44",
+	}
+	c, err := NewClient(&config)
+	if err != nil {
+		t.Fatal(err)
+	}
+	r := ccrypto.NewDetermRand([]byte("test123"))
+	priv, err := ccrypto.GenerateKeyGo119(elliptic.P256(), r)
+	if err != nil {
+		t.Fatal(err)
+	}
+	pub, err := ssh.NewPublicKey(&priv.PublicKey)
+	if err != nil {
+		t.Fatal(err)
+	}
+	err = c.verifyServer("", nil, pub)
+	if err != nil {
+		t.Fatal(err)
+	}
+}
 
-// func TestVerifyFingerprint(t *testing.T) {
-// 	config := Config{
-// 		Fingerprint: "qmrRoo8MIqePv3jC8+wv49gU6uaFgD3FASQx9V8KdmY=",
-// 	}
-// 	c, err := NewClient(&config)
-// 	if err != nil {
-// 		t.Fatal(err)
-// 	}
-// 	r := ccrypto.NewDetermRand([]byte("test123"))
-// 	priv, err := ecdsa.GenerateKey(elliptic.P256(), r)
-// 	if err != nil {
-// 		t.Fatal(err)
-// 	}
-// 	pub, err := ssh.NewPublicKey(&priv.PublicKey)
-// 	if err != nil {
-// 		t.Fatal(err)
-// 	}
-// 	err = c.verifyServer("", nil, pub)
-// 	if err != nil {
-// 		t.Fatal(err)
-// 	}
-// }
+func TestVerifyLegacyFingerprint(t *testing.T) {
+	config := Config{
+		Fingerprint: "a5:32:92:c6:56:7a:9e:61:26:74:1b:81:a6:f5:1b:44",
+	}
+	c, err := NewClient(&config)
+	if err != nil {
+		t.Fatal(err)
+	}
+	r := ccrypto.NewDetermRand([]byte("test123"))
+	priv, err := ccrypto.GenerateKeyGo119(elliptic.P256(), r)
+	if err != nil {
+		t.Fatal(err)
+	}
+	pub, err := ssh.NewPublicKey(&priv.PublicKey)
+	if err != nil {
+		t.Fatal(err)
+	}
+	err = c.verifyLegacyFingerprint(pub)
+	if err != nil {
+		t.Fatal(err)
+	}
+}
 
-func TestVerifyEmptyFingerprint(t *testing.T) {
-	config := Config{}
+func TestVerifyFingerprint(t *testing.T) {
+	config := Config{
+		Fingerprint: "qmrRoo8MIqePv3jC8+wv49gU6uaFgD3FASQx9V8KdmY=",
+	}
 	c, err := NewClient(&config)
 	if err != nil {
 		t.Fatal(err)
 	}
 	r := ccrypto.NewDetermRand([]byte("test123"))
-	priv, err := ecdsa.GenerateKey(elliptic.P256(), r)
+	priv, err := ccrypto.GenerateKeyGo119(elliptic.P256(), r)
 	if err != nil {
 		t.Fatal(err)
 	}

go.mod

@@ -1,6 +1,6 @@
 module github.com/jpillora/chisel
 
-go 1.20
+go 1.21
 
 require (
 	github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5
@@ -9,15 +9,15 @@ require (
 	github.com/jpillora/backoff v1.0.0
 	github.com/jpillora/requestlog v1.0.0
 	github.com/jpillora/sizestr v1.0.0
-	golang.org/x/crypto v0.10.0
-	golang.org/x/net v0.11.0
+	golang.org/x/crypto v0.12.0
+	golang.org/x/net v0.14.0
 	golang.org/x/sync v0.3.0
 )
 
 require (
 	github.com/andrew-d/go-termutil v0.0.0-20150726205930-009166a695a2 // indirect
 	github.com/jpillora/ansi v1.0.3 // indirect
 	github.com/tomasen/realip v0.0.0-20180522021738-f0c99a92ddce // indirect
-	golang.org/x/sys v0.9.0 // indirect
-	golang.org/x/text v0.10.0 // indirect
+	golang.org/x/sys v0.11.0 // indirect
+	golang.org/x/text v0.12.0 // indirect
 )