mirror of
https://github.com/XTLS/Xray-core.git
synced 2024-11-22 20:59:19 +02:00
Add TLS Hello Fragmentation for freedom outbound (#2131)
* Replace TCP Segmentation with TLS Hello Fragmentation * Update infra/conf/freedom.go * Refine proxy/freedom/freedom.go --------- Co-authored-by: RPRX <63339210+RPRX@users.noreply.github.com>
This commit is contained in:
parent
def5807c64
commit
9122d0f056
|
@ -90,7 +90,17 @@ func (c *FreedomConfig) Build() (proto.Message, error) {
|
||||||
MaxLength: int32(maxLength),
|
MaxLength: int32(maxLength),
|
||||||
}
|
}
|
||||||
|
|
||||||
if len(c.Fragment.Packets) > 0 {
|
switch strings.ToLower(c.Fragment.Packets) {
|
||||||
|
case "tlshello":
|
||||||
|
// TLS Hello Fragmentation (into multiple handshake messages)
|
||||||
|
config.Fragment.StartPacket = 0
|
||||||
|
config.Fragment.EndPacket = 1
|
||||||
|
case "":
|
||||||
|
// TCP Segmentation (all packets)
|
||||||
|
config.Fragment.StartPacket = 0
|
||||||
|
config.Fragment.EndPacket = 0
|
||||||
|
default:
|
||||||
|
// TCP Segmentation (range)
|
||||||
packetRange := strings.Split(c.Fragment.Packets, "-")
|
packetRange := strings.Split(c.Fragment.Packets, "-")
|
||||||
var startPacket, endPacket int64
|
var startPacket, endPacket int64
|
||||||
if len(packetRange) == 2 {
|
if len(packetRange) == 2 {
|
||||||
|
@ -114,9 +124,6 @@ func (c *FreedomConfig) Build() (proto.Message, error) {
|
||||||
}
|
}
|
||||||
config.Fragment.StartPacket = int32(startPacket)
|
config.Fragment.StartPacket = int32(startPacket)
|
||||||
config.Fragment.EndPacket = int32(endPacket)
|
config.Fragment.EndPacket = int32(endPacket)
|
||||||
} else {
|
|
||||||
config.Fragment.StartPacket = 0
|
|
||||||
config.Fragment.EndPacket = 0
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -5,6 +5,7 @@ package freedom
|
||||||
import (
|
import (
|
||||||
"context"
|
"context"
|
||||||
"crypto/rand"
|
"crypto/rand"
|
||||||
|
"encoding/binary"
|
||||||
"io"
|
"io"
|
||||||
"math/big"
|
"math/big"
|
||||||
"time"
|
"time"
|
||||||
|
@ -12,6 +13,7 @@ import (
|
||||||
"github.com/xtls/xray-core/common"
|
"github.com/xtls/xray-core/common"
|
||||||
"github.com/xtls/xray-core/common/buf"
|
"github.com/xtls/xray-core/common/buf"
|
||||||
"github.com/xtls/xray-core/common/dice"
|
"github.com/xtls/xray-core/common/dice"
|
||||||
|
"github.com/xtls/xray-core/common/errors"
|
||||||
"github.com/xtls/xray-core/common/net"
|
"github.com/xtls/xray-core/common/net"
|
||||||
"github.com/xtls/xray-core/common/retry"
|
"github.com/xtls/xray-core/common/retry"
|
||||||
"github.com/xtls/xray-core/common/session"
|
"github.com/xtls/xray-core/common/session"
|
||||||
|
@ -173,6 +175,16 @@ func (h *Handler) Process(ctx context.Context, link *transport.Link, dialer inte
|
||||||
var writer buf.Writer
|
var writer buf.Writer
|
||||||
if destination.Network == net.Network_TCP {
|
if destination.Network == net.Network_TCP {
|
||||||
if h.config.Fragment != nil {
|
if h.config.Fragment != nil {
|
||||||
|
if h.config.Fragment.StartPacket == 0 && h.config.Fragment.EndPacket == 1 {
|
||||||
|
newError("FRAGMENT", int(h.config.Fragment.MaxLength)).WriteToLog(session.ExportIDToError(ctx))
|
||||||
|
writer = buf.NewWriter(
|
||||||
|
&FragmentedClientHelloConn{
|
||||||
|
Conn: conn,
|
||||||
|
maxLength: int(h.config.Fragment.MaxLength),
|
||||||
|
minInterval: time.Duration(h.config.Fragment.MinInterval) * time.Millisecond,
|
||||||
|
maxInterval: time.Duration(h.config.Fragment.MaxInterval) * time.Millisecond,
|
||||||
|
})
|
||||||
|
} else {
|
||||||
writer = buf.NewWriter(
|
writer = buf.NewWriter(
|
||||||
&FragmentWriter{
|
&FragmentWriter{
|
||||||
Writer: conn,
|
Writer: conn,
|
||||||
|
@ -184,6 +196,7 @@ func (h *Handler) Process(ctx context.Context, link *transport.Link, dialer inte
|
||||||
endPacket: int(h.config.Fragment.EndPacket),
|
endPacket: int(h.config.Fragment.EndPacket),
|
||||||
PacketCount: 0,
|
PacketCount: 0,
|
||||||
})
|
})
|
||||||
|
}
|
||||||
} else {
|
} else {
|
||||||
writer = buf.NewWriter(conn)
|
writer = buf.NewWriter(conn)
|
||||||
}
|
}
|
||||||
|
@ -388,3 +401,66 @@ func randBetween(left int64, right int64) int64 {
|
||||||
bigInt, _ := rand.Int(rand.Reader, big.NewInt(right-left))
|
bigInt, _ := rand.Int(rand.Reader, big.NewInt(right-left))
|
||||||
return left + bigInt.Int64()
|
return left + bigInt.Int64()
|
||||||
}
|
}
|
||||||
|
|
||||||
|
type FragmentedClientHelloConn struct {
|
||||||
|
net.Conn
|
||||||
|
PacketCount int
|
||||||
|
minLength int
|
||||||
|
maxLength int
|
||||||
|
minInterval time.Duration
|
||||||
|
maxInterval time.Duration
|
||||||
|
}
|
||||||
|
|
||||||
|
func (c *FragmentedClientHelloConn) Write(b []byte) (n int, err error) {
|
||||||
|
if len(b) >= 5 && b[0] == 22 && c.PacketCount == 0 {
|
||||||
|
n, err = sendFragmentedClientHello(c, b, c.minLength, c.maxLength)
|
||||||
|
|
||||||
|
if err == nil {
|
||||||
|
c.PacketCount++
|
||||||
|
return n, err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return c.Conn.Write(b)
|
||||||
|
}
|
||||||
|
|
||||||
|
func sendFragmentedClientHello(conn *FragmentedClientHelloConn, clientHello []byte, minFragmentSize, maxFragmentSize int) (n int, err error) {
|
||||||
|
if len(clientHello) < 5 || clientHello[0] != 22 {
|
||||||
|
return 0, errors.New("not a valid TLS ClientHello message")
|
||||||
|
}
|
||||||
|
|
||||||
|
clientHelloLen := (int(clientHello[3]) << 8) | int(clientHello[4])
|
||||||
|
|
||||||
|
clientHelloData := clientHello[5:]
|
||||||
|
for i := 0; i < clientHelloLen; {
|
||||||
|
fragmentEnd := i + int(randBetween(int64(minFragmentSize), int64(maxFragmentSize)))
|
||||||
|
if fragmentEnd > clientHelloLen {
|
||||||
|
fragmentEnd = clientHelloLen
|
||||||
|
}
|
||||||
|
|
||||||
|
fragment := clientHelloData[i:fragmentEnd]
|
||||||
|
i = fragmentEnd
|
||||||
|
|
||||||
|
err = writeFragmentedRecord(conn, 22, fragment, clientHello)
|
||||||
|
if err != nil {
|
||||||
|
return 0, err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return len(clientHello), nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func writeFragmentedRecord(c *FragmentedClientHelloConn, contentType uint8, data []byte, clientHello []byte) error {
|
||||||
|
header := make([]byte, 5)
|
||||||
|
header[0] = byte(clientHello[0])
|
||||||
|
|
||||||
|
tlsVersion := (int(clientHello[1]) << 8) | int(clientHello[2])
|
||||||
|
binary.BigEndian.PutUint16(header[1:], uint16(tlsVersion))
|
||||||
|
|
||||||
|
binary.BigEndian.PutUint16(header[3:], uint16(len(data)))
|
||||||
|
_, err := c.Conn.Write(append(header, data...))
|
||||||
|
randomInterval := randBetween(int64(c.minInterval), int64(c.maxInterval))
|
||||||
|
time.Sleep(time.Duration(randomInterval))
|
||||||
|
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
Loading…
Reference in New Issue