From a9e11075d142d5384b1cc0ffc7af45aabf081578 Mon Sep 17 00:00:00 2001 From: RPRX <63339210+rprx@users.noreply.github.com> Date: Mon, 29 Mar 2021 10:08:29 +0000 Subject: [PATCH] Add uTLS fingerprints support (#451) --- go.mod | 1 + go.sum | 2 ++ infra/conf/transport_internet.go | 2 ++ transport/internet/tcp/dialer.go | 15 ++++++------- transport/internet/tls/config.pb.go | 33 +++++++++++++++++++---------- transport/internet/tls/config.proto | 3 +++ transport/internet/tls/tls.go | 23 +++++++++++--------- 7 files changed, 50 insertions(+), 29 deletions(-) diff --git a/go.mod b/go.mod index 374be962..67ad28f9 100644 --- a/go.mod +++ b/go.mod @@ -12,6 +12,7 @@ require ( github.com/miekg/dns v1.1.40 github.com/pelletier/go-toml v1.8.1 github.com/pires/go-proxyproto v0.5.0 + github.com/refraction-networking/utls v0.0.0-20201210053706-2179f286686b github.com/seiflotfy/cuckoofilter v0.0.0-20201222105146-bc6005554a0c github.com/stretchr/testify v1.7.0 github.com/xtls/go v0.0.0-20201118062508-3632bf3b7499 diff --git a/go.sum b/go.sum index 88cc9e15..d6999951 100644 --- a/go.sum +++ b/go.sum @@ -139,6 +139,8 @@ github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1: github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/common v0.0.0-20180801064454-c7de2306084e/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro= github.com/prometheus/procfs v0.0.0-20180725123919-05ee40e3a273/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= +github.com/refraction-networking/utls v0.0.0-20201210053706-2179f286686b h1:lzo71oHzQEz0fKMSjR0BpVzuh2hOHvJTxnN3Rnikmtg= +github.com/refraction-networking/utls v0.0.0-20201210053706-2179f286686b/go.mod h1:tz9gX959MEFfFN5whTIocCLUG57WiILqtdVxI8c6Wj0= github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g= github.com/seiflotfy/cuckoofilter v0.0.0-20201222105146-bc6005554a0c h1:pqy40B3MQWYrza7YZXOXgl0Nf0QGFqrOC0BKae1UNAA= github.com/seiflotfy/cuckoofilter v0.0.0-20201222105146-bc6005554a0c/go.mod h1:bR6DqgcAl1zTcOX8/pE2Qkj9XO00eCNqmKb7lXP8EAg= diff --git a/infra/conf/transport_internet.go b/infra/conf/transport_internet.go index 15d5dd32..d0f448e0 100644 --- a/infra/conf/transport_internet.go +++ b/infra/conf/transport_internet.go @@ -321,6 +321,7 @@ type TLSConfig struct { MaxVersion string `json:"maxVersion"` CipherSuites string `json:"cipherSuites"` PreferServerCipherSuites bool `json:"preferServerCipherSuites"` + Fingerprint string `json:"fingerprint"` } // Build implements Buildable. @@ -348,6 +349,7 @@ func (c *TLSConfig) Build() (proto.Message, error) { config.MaxVersion = c.MaxVersion config.CipherSuites = c.CipherSuites config.PreferServerCipherSuites = c.PreferServerCipherSuites + config.Fingerprint = strings.ToLower(c.Fingerprint) return config, nil } diff --git a/transport/internet/tcp/dialer.go b/transport/internet/tcp/dialer.go index c8fda925..e2c6a1b8 100644 --- a/transport/internet/tcp/dialer.go +++ b/transport/internet/tcp/dialer.go @@ -3,6 +3,8 @@ package tcp import ( "context" + utls "github.com/refraction-networking/utls" + "github.com/xtls/xray-core/common" "github.com/xtls/xray-core/common/net" "github.com/xtls/xray-core/common/session" @@ -21,14 +23,11 @@ func Dial(ctx context.Context, dest net.Destination, streamSettings *internet.Me if config := tls.ConfigFromStreamSettings(streamSettings); config != nil { tlsConfig := config.GetTLSConfig(tls.WithDestination(dest)) - /* - if config.IsExperiment8357() { - conn = tls.UClient(conn, tlsConfig) - } else { - conn = tls.Client(conn, tlsConfig) - } - */ - conn = tls.Client(conn, tlsConfig) + if fingerprint, ok := tls.Fingerprints[config.Fingerprint]; ok { + conn = utls.UClient(conn, tls.CopyConfig(tlsConfig), fingerprint) + } else { + conn = tls.Client(conn, tlsConfig) + } } else if config := xtls.ConfigFromStreamSettings(streamSettings); config != nil { xtlsConfig := config.GetXTLSConfig(xtls.WithDestination(dest)) conn = xtls.Client(conn, xtlsConfig) diff --git a/transport/internet/tls/config.pb.go b/transport/internet/tls/config.pb.go index 77dd879f..b58a660d 100644 --- a/transport/internet/tls/config.pb.go +++ b/transport/internet/tls/config.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: // protoc-gen-go v1.25.0 -// protoc v3.14.0 +// protoc v3.15.6 // source: transport/internet/tls/config.proto package tls @@ -200,6 +200,8 @@ type Config struct { CipherSuites string `protobuf:"bytes,9,opt,name=cipher_suites,json=cipherSuites,proto3" json:"cipher_suites,omitempty"` // Whether the server selects its most preferred ciphersuite. PreferServerCipherSuites bool `protobuf:"varint,10,opt,name=prefer_server_cipher_suites,json=preferServerCipherSuites,proto3" json:"prefer_server_cipher_suites,omitempty"` + // TLS Client Hello fingerprint (uTLS). + Fingerprint string `protobuf:"bytes,11,opt,name=fingerprint,proto3" json:"fingerprint,omitempty"` } func (x *Config) Reset() { @@ -304,6 +306,13 @@ func (x *Config) GetPreferServerCipherSuites() bool { return false } +func (x *Config) GetFingerprint() string { + if x != nil { + return x.Fingerprint + } + return "" +} + var File_transport_internet_tls_config_proto protoreflect.FileDescriptor var file_transport_internet_tls_config_proto_rawDesc = []byte{ @@ -333,7 +342,7 @@ var file_transport_internet_tls_config_proto_rawDesc = []byte{ 0x43, 0x49, 0x50, 0x48, 0x45, 0x52, 0x4d, 0x45, 0x4e, 0x54, 0x10, 0x00, 0x12, 0x14, 0x0a, 0x10, 0x41, 0x55, 0x54, 0x48, 0x4f, 0x52, 0x49, 0x54, 0x59, 0x5f, 0x56, 0x45, 0x52, 0x49, 0x46, 0x59, 0x10, 0x01, 0x12, 0x13, 0x0a, 0x0f, 0x41, 0x55, 0x54, 0x48, 0x4f, 0x52, 0x49, 0x54, 0x59, 0x5f, - 0x49, 0x53, 0x53, 0x55, 0x45, 0x10, 0x02, 0x22, 0xd3, 0x03, 0x0a, 0x06, 0x43, 0x6f, 0x6e, 0x66, + 0x49, 0x53, 0x53, 0x55, 0x45, 0x10, 0x02, 0x22, 0xf5, 0x03, 0x0a, 0x06, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x25, 0x0a, 0x0e, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x5f, 0x69, 0x6e, 0x73, 0x65, 0x63, 0x75, 0x72, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0d, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x49, 0x6e, 0x73, 0x65, 0x63, 0x75, 0x72, 0x65, 0x12, 0x4a, 0x0a, 0x0b, 0x63, 0x65, 0x72, @@ -362,15 +371,17 @@ var file_transport_internet_tls_config_proto_rawDesc = []byte{ 0x0a, 0x1b, 0x70, 0x72, 0x65, 0x66, 0x65, 0x72, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x5f, 0x63, 0x69, 0x70, 0x68, 0x65, 0x72, 0x5f, 0x73, 0x75, 0x69, 0x74, 0x65, 0x73, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x08, 0x52, 0x18, 0x70, 0x72, 0x65, 0x66, 0x65, 0x72, 0x53, 0x65, 0x72, 0x76, 0x65, - 0x72, 0x43, 0x69, 0x70, 0x68, 0x65, 0x72, 0x53, 0x75, 0x69, 0x74, 0x65, 0x73, 0x42, 0x73, 0x0a, - 0x1f, 0x63, 0x6f, 0x6d, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x74, 0x72, 0x61, 0x6e, 0x73, 0x70, - 0x6f, 0x72, 0x74, 0x2e, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x2e, 0x74, 0x6c, 0x73, - 0x50, 0x01, 0x5a, 0x30, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x78, - 0x74, 0x6c, 0x73, 0x2f, 0x78, 0x72, 0x61, 0x79, 0x2d, 0x63, 0x6f, 0x72, 0x65, 0x2f, 0x74, 0x72, - 0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74, - 0x2f, 0x74, 0x6c, 0x73, 0xaa, 0x02, 0x1b, 0x58, 0x72, 0x61, 0x79, 0x2e, 0x54, 0x72, 0x61, 0x6e, - 0x73, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x2e, 0x54, - 0x6c, 0x73, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x72, 0x43, 0x69, 0x70, 0x68, 0x65, 0x72, 0x53, 0x75, 0x69, 0x74, 0x65, 0x73, 0x12, 0x20, 0x0a, + 0x0b, 0x66, 0x69, 0x6e, 0x67, 0x65, 0x72, 0x70, 0x72, 0x69, 0x6e, 0x74, 0x18, 0x0b, 0x20, 0x01, + 0x28, 0x09, 0x52, 0x0b, 0x66, 0x69, 0x6e, 0x67, 0x65, 0x72, 0x70, 0x72, 0x69, 0x6e, 0x74, 0x42, + 0x73, 0x0a, 0x1f, 0x63, 0x6f, 0x6d, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x74, 0x72, 0x61, 0x6e, + 0x73, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x2e, 0x74, + 0x6c, 0x73, 0x50, 0x01, 0x5a, 0x30, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, + 0x2f, 0x78, 0x74, 0x6c, 0x73, 0x2f, 0x78, 0x72, 0x61, 0x79, 0x2d, 0x63, 0x6f, 0x72, 0x65, 0x2f, + 0x74, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, + 0x65, 0x74, 0x2f, 0x74, 0x6c, 0x73, 0xaa, 0x02, 0x1b, 0x58, 0x72, 0x61, 0x79, 0x2e, 0x54, 0x72, + 0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74, + 0x2e, 0x54, 0x6c, 0x73, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( diff --git a/transport/internet/tls/config.proto b/transport/internet/tls/config.proto index bd2bbdb8..7cae8436 100644 --- a/transport/internet/tls/config.proto +++ b/transport/internet/tls/config.proto @@ -64,4 +64,7 @@ message Config { // Whether the server selects its most preferred ciphersuite. bool prefer_server_cipher_suites = 10; + + // TLS Client Hello fingerprint (uTLS). + string fingerprint = 11; } diff --git a/transport/internet/tls/tls.go b/transport/internet/tls/tls.go index 5704214b..1e0329bf 100644 --- a/transport/internet/tls/tls.go +++ b/transport/internet/tls/tls.go @@ -3,6 +3,8 @@ package tls import ( "crypto/tls" + utls "github.com/refraction-networking/utls" + "github.com/xtls/xray-core/common/buf" "github.com/xtls/xray-core/common/net" ) @@ -41,23 +43,24 @@ func Client(c net.Conn, config *tls.Config) net.Conn { return &Conn{Conn: tlsConn} } -/* -func copyConfig(c *tls.Config) *utls.Config { +var Fingerprints = map[string]utls.ClientHelloID{ + "chrome": utls.HelloChrome_Auto, + "firefox": utls.HelloFirefox_Auto, + "safari": utls.HelloIOS_Auto, + "randomized": utls.HelloRandomized, +} + +func CopyConfig(c *tls.Config) *utls.Config { return &utls.Config{ + RootCAs: c.RootCAs, NextProtos: c.NextProtos, ServerName: c.ServerName, InsecureSkipVerify: c.InsecureSkipVerify, - MinVersion: utls.VersionTLS12, - MaxVersion: utls.VersionTLS12, + MinVersion: c.MinVersion, + MaxVersion: c.MaxVersion, } } -func UClient(c net.Conn, config *tls.Config) net.Conn { - uConfig := copyConfig(config) - return utls.Client(c, uConfig) -} -*/ - // Server initiates a TLS server handshake on the given connection. func Server(c net.Conn, config *tls.Config) net.Conn { tlsConn := tls.Server(c, config)