Protocol - krrr/wstan GitHub Wiki
wstan protocal is based on WebSocket, and every WS message is binary.
User-Agent <--SOCKS5/HTTP--> (wstan)Client <--this protocol--> (wstan)Server <---> Target
the protocol uses network byte order (big-endian)
All WS messages are encrypted using AES-128-CTR when SSL disabled. The key is pre-shared and also used by HMAC.
Nonce (16bytes) used to encrypt will be generated and exchanged by following ways:
- Default
client: randomly generated; passed to server by
field of WS handshake request -
server: calculated from
, equalsSec-WebSocket-Accept
field of WS handshake reply (leftmost 16 bytes, detail); no exchange
client: randomly generated; passed to server by
- Compatible mode
client: randomly generated; passed to server by
field that contains one pair: the first is underscore plus(last_byte_of_sha1_of_key % 26) + 65)
), and the last is base64 encoded nonce. - server: leftmost 16 bytes of SHA1 of the encryptor nonce used by client; no exchange
client: randomly generated; passed to server by
Command | Enum | Meaning |
CMD_REQ | 0x00 | ask server to connect to a target and relay data |
CMD_DAT | 0x01 | carries actual data |
CMD_RST | 0x02 | reset tunnel, make it able to accept another request |
Request message:
Field Length(Bytes) Detail type 1 CMD_REQ timestamp 8 seconds since epoch (the double type of C language) RESERVED 1 must be 0x00 address type 1 0x01=IPv4; 0x03=Domain name; 0x04=IPv6 target address var. 4 bytes for IPv4; 1 byte of name length followed by the name for domain name; 16 bytes for IPv6 port number 2 data var. to be sent to target HMAC 10 hmac-sha1 of previous parts (leftmost 10 bytes) Request message may be encoded into URI of WS handshake (
; encoding using url-safe base64 (substitutes-
instead of+
instead of/
in the standard base64 alphabet)). Server should check timestamp and deny expired request (default timeout is 60s). Server may also remember accepted requests and deny reused nonce. -
Data message:
Field Length(Bytes) Detail type 1 CMD_DAT data var. to be sent to target or user-agent There is no multiplexing. Once a request is accepted the tunnel (and underlying TCP conn.) will be exclusively used by it.
Reset message:
Field Length(Bytes) Detail type 1 CMD_RST reason var. UTF-8 encoded string; ignored if started with 2 spaces HMAC 10 hmac-sha1 of previous parts (leftmost 10 bytes) Server can tell client why request is failed using
field. A normal reset'sreason
should only contain spaces. -
Close message: Using close message of WebSocket directly.
- --> IDLE(initial)
- IDLE --REQ-received--> USING
- USING --RST-sent--> RESETTING --RST-received--> IDLE
- USING --RST-received--> IDLE (a RST will be sent immediately as reply)