Add QUIC support for GT.

README.md

@@ -329,18 +329,19 @@ options:
 #### Internal QUIC Penetration
 
 - Requirements: There is an intranet server and a public network server, and id1.example.com resolves to the address of the public network server. Hopefully by accessing id1.example.com:8080
-  To access the web page served by port 80 on the intranet server. Use QUIC to build a transport connection between the client and the server. QUIC uses TLS 1.3 for transport encryption.
+  To access the web page served by port 80 on the intranet server. Use QUIC to build a transport connection between the client and the server. QUIC uses TLS 1.3 for transport encryption. When the user also gives certFile
+  and keyFile, use them for encrypted communication. Otherwise, keys and certificates are automatically generated using the ECDSA encryption algorithm.
 
-- Server (Public network server)
+- Server (public network server)
 
 ```shell
-./release/linux-amd64-server -addr 8080 -quicAddr 10080 -id id1 -secret secret1
+./release/linux-amd64-server -addr 8080 -quicAddr 443 -certFile /root/openssl_crt/tls.crt -keyFile /root/openssl_crt/tls.key -id id1 -secret secret1
 ```
 
-- Client (Internal network server). Because a self-signed certificate is not used, the `-remoteCertInsecure` option is not used.
+- Client (internal network server), because a self-signed certificate is used, the `-remoteCertInsecure` option is used. This option is prohibited from being used in other cases (man-in-the-middle attacks cause encrypted content to be decrypted
 
 ```shell
-./release/linux-amd64-client -local http://127.0.0.1:80 -remote quic://id1.example.com:10080 -id id1 -secret secret1
+./release/linux-amd64-client -local http://127.0.0.1:80 -remote quic://id1.example.com:443 -remoteCertInsecure -id id1 -secret secret1
 ```
 
 #### Client Start Multiple Services Simultaneously

README_CN.md

@@ -311,18 +311,19 @@ options:
 #### QUIC 内网穿透
 
 - 需求：有一台内网服务器和一台公网服务器，id1.example.com 解析到公网服务器的地址。希望通过访问 id1.example.com:8080
-  来访问内网服务器上 80 端口服务的网页。使用 QUIC 为客户端与服务端之间构建传输连接，QUIC 使用 TLS 1.3 进行传输加密。
+  来访问内网服务器上 80 端口服务的网页。使用 QUIC 为客户端与服务端之间构建传输连接，QUIC 使用 TLS 1.3 进行传输加密。当用户同时给出certFile
+  和keyFile时，使用他们进行加密通信。否则，会使用 ECDSA 加密算法自动生成密钥和证书。
 
 - 服务端（公网服务器）
 
 ```shell
-./release/linux-amd64-server -addr 8080 -quicAddr 443 -id id1 -secret secret1
+./release/linux-amd64-server -addr 8080 -quicAddr 443 -certFile /root/openssl_crt/tls.crt -keyFile /root/openssl_crt/tls.key -id id1 -secret secret1
 ```
 
-- 客户端（内网服务器）。因为没有使用自签名证书，所以未使用 `-remoteCertInsecure` 选项。
+- 客户端（内网服务器），因为使用了自签名证书，所以使用了 `-remoteCertInsecure` 选项，其它情况禁止使用此选项（中间人攻击导致加密内容被解密
 
 ```shell
-./release/linux-amd64-client -local http://127.0.0.1:80 -remote quic://id1.example.com:443 -id id1 -secret secret1
+./release/linux-amd64-client -local http://127.0.0.1:80 -remote quic://id1.example.com:443 -remoteCertInsecure -id id1 -secret secret1
 ```
 
 #### 客户端同时开启多个服务

conn/quicConn.go

@@ -2,8 +2,14 @@ package conn
 
 import (
 	"context"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
 	"crypto/tls"
+	"crypto/x509"
+	"encoding/pem"
 	"github.com/quic-go/quic-go"
+	"math/big"
 	"net"
 )
 
@@ -57,3 +63,30 @@ func (ln *QuicListener) Accept() (net.Conn, error) {
 	}
 	return nc, err
 }
+
+func GenerateTLSConfig() *tls.Config {
+	ecdsaKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		panic(err)
+	}
+	template := x509.Certificate{SerialNumber: big.NewInt(1)}
+	certDER, err := x509.CreateCertificate(rand.Reader, &template, &template, &ecdsaKey.PublicKey, ecdsaKey)
+	if err != nil {
+		panic(err)
+	}
+	keyBytes, err := x509.MarshalECPrivateKey(ecdsaKey)
+	if err != nil {
+		panic(err)
+	}
+	keyPEM := pem.EncodeToMemory(&pem.Block{Type: "ECDSA PRIVATE KEY", Bytes: keyBytes})
+	certPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certDER})
+
+	tlsCert, err := tls.X509KeyPair(certPEM, keyPEM)
+	if err != nil {
+		panic(err)
+	}
+	return &tls.Config{
+		Certificates: []tls.Certificate{tlsCert},
+		NextProtos:   []string{"gt-quic"},
+	}
+}

server/server.go

@@ -149,7 +149,11 @@ func (s *Server) listen() (err error) {
 
 func (s *Server) quicListen() (err error) {
 	var tlsConfig *tls.Config
-	tlsConfig, err = newTLSConfig(s.config.CertFile, s.config.KeyFile, s.config.TLSMinVersion)
+	if len(s.config.CertFile) > 0 && len(s.config.KeyFile) > 0 {
+		tlsConfig, err = newTLSConfig(s.config.CertFile, s.config.KeyFile, s.config.TLSMinVersion)
+	} else {
+		tlsConfig = connection.GenerateTLSConfig()
+	}
 	if err != nil {
 		return
 	}